Hybrid Azure AD join – Part two: automatic enrollment in Intune

Welcome to the second part of our Hybrid Azure AD join guide. If you have missed our first part, where we explain what Hybrid Azure AD join actually is and how to set it up, be sure to check it out here!

Before we start, make sure you set up Intune environment to accept automatic enrollment (licensing & MDM scope).

Let’s get right into it. Now that our W10 device is registered as a Hybrid Azure AD joined device, we can start doing stuff with it. In order to start managing this device via Intune, it must be enrolled first. This can be done manually but since we are professional computer geeks (and a bit lazy), we want this done automatically. Let’s start by testing this on a single device.

Testing for a single device

To give our Hybrid Azure AD joined device a trial by fire, we will edit its local group policies to automatically enroll into Intune.

First of all start by hitting Windows + R (opening the Run window) and type gpedit.msc.
To run this command, you need to be logged in as the administrator.

gpedit

We are now in the Local Group Policy Editor.
Go to Computer Configuration > Administrative Templates > Windows Components > MDM.
Here you will find two settings, of which we select the first one.
Set Enable automatic MDM enrollment using default Azure AD credentials to Enabled.

localgrouppolicy

enableMDM

As a result, enabling this will create scheduled task that will run every 5 minutes after creation.

Important note! For this created task to be succesful, you will need to log in with a licensed user. More specifically, an EMS licensed user (automatic enrollment requires an AzureAD + Intune license).

To see this task (and troubleshoot it if needed) we will open the Task Scheduler application.
In this app, go to Microsoft > Windows > EnterpriseMgmt. There you can find the task that you created.

taskscheduler

MDMtask

In the ‘Last Run Result’ of the task, you can find error codes that may appear when it tries to run.
If you get error 0x80180018, then you have a licensing issue. Either you didn’t log in to the correct user, or you have not assigned the license correctly.

licenses

To now check if the task has completed and did its job, we will go to the Intune portal.

Under Devices we are able to see our enrolled W10 (this can take a few minutes, so be patient).

intunelist

You can also see this by going to the Account settings of Windows. There, under Access work or school, you can see the synchronization with the Active Directory and Intune. If you can’t see the ‘Info‘ button, it means the device didn’t fully enroll yet.

accessworkorschool

Testing for multiple devices

Even though our first test was a success, we still have some work to do. The method we previously employed is not very useful in most scenarios. You still have to manually enable the local policy on each device, which is a tedious task.

This is why we are now going to do the exact same thing, but for a group of devices. If we would later add new devices to that group, then it would automatically enroll (which is the main goal of this guide). We’re not using local policies for this so we need to access our domain controller and create a GPO.

Edit the new GPO that you created and go to Computer Configuration > Policies > Administrative Templates > Windows Components > MDM. This is similar to the local policy we edited earlier.

If, like me, you don’t see the ‘Enable automatic MDM enrollment using default Azure AD credentials‘ setting (only ‘Disable MDM Enrollment’), do the following:

  • Search for Administrative Templates (.admx) for Windows 10’ in your preffered search engine.
  • Click the result that leads to the official Microsoft website (e.g. www.microsoft.com/en-us/download/…).
  • Download the .msi file from their website and run it (which will install the .admx files).
  • Go to the location where you just installed the Administrative Templates (default: C:\Program Files (x86)\Microsoft Group Policy\…\PolicyDefinitions)
  • Copy the .admx files + at least one or more language folders (based on what language your Domain Controller is)
  • Paste them in \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (change ‘domain.com’ to your own domain name)

You might have to create the folder PolicyDefinitions if it doesn’t already exist. If you already have a folder with .admx files in there, just copy the MDM.admx and the MDM.adml from the language folder and overwrite them with the existing ones.

Now you should be able to see the setting we mentioned before, Enable it.

***
UPDATE
In newer version you might see some extra settings in this GPO (User Credentials and Device Credentials). From what I have read, the User Credentials setting is the most similar to the one that is used here so I recommend using that. But if you experience issues with joining, switching to Device Credentials might be a solution.
***

Be sure to link this policy to the correct Organizational Unit in which your devices are located. You can then filter the GPO to only apply to the Computers group.

Open the Command Prompt and type gpudate /force to get your policies to apply faster.

After that, you can go back to our previous tests to check if a device enrolled properly (Intune portal or Access work or school).

Now you are able to unleash to power of Intune on your Hybrid Azure AD joined devices!
Stay tuned for future blogs on Intune, which are now more interesting than ever considering we just added new devices to manage and control.

Print Friendly, PDF & Email

47 comments on “Hybrid Azure AD join – Part two: automatic enrollment in Intune”

  1. Nicolai says:

    Amazing guide! Fixed all the issus i had with implementing Intune on our company domain!

  2. shalini Toppo says:

    Hi sam,

    I just joined my devices to domain and Azure AD connect is configured so its now Hybrid AAD joined.
    and Intune is set to auto enrollemnt.
    But my device in not appear in Intune’s all devices.
    I just want to know the other methods to enroll in MDM (other than GPO).

    1. Sam Teerlinck says:

      Thanks for your reply!

      When you have a Hybrid AD environment it is recommended to use a GPO (if possible).

      There are also other methods to enroll.
      Microsoft has an official list of all methods here:
      https://docs.microsoft.com/en-us/intune/enrollment/windows-enrollment-methods

      You can see which one fits best for your particular situation.

  3. Naveen Pandey says:

    Hi Sam,

    Once windows 10 device is hybrid azure ad joined and enrolled in Intune, can we remotely wipe or reset it from Intune?

    1. Sam Teerlinck says:

      Hello Naveen,

      Yes! This is possible.
      You can remote Wipe, Restart and Sync these devices.
      https://docs.microsoft.com/en-us/intune/remote-actions/

  4. Mario Serra says:

    Hello Sam,
    once the devices are in hybrid mode, how do I manage users? For exambple, if i need to change the alias or another attribute what can i do?

    1. Sam Teerlinck says:

      Hi Mario,

      This will depend where the user was created. A user that was created in the on-prem AD will mostly be manageable in on-prem only. You will see that trying to add an alias etc. in the Microsoft portal will give you a notification that this can only be done in the on-prem AD. If you go to Azure Active Directory in portal.azure.com, and then open the Users blade, you can see the ‘Source’ of the User which will tell you where to manage it (there it will say Windows Server AD/Azure Active Directory).

      1. Mario Serra says:

        Thank you for reply, i understand that the users with Windows Server AD soure i must manage on prem. But in AD i don’t have the attibutes, i must extend my AD schema? For Microsoft support i must have also exchange on prem? If yes what module i must install?

        1. Sam Teerlinck says:

          The attributes could indeed be hidden, but should be available to change there. Enabling Advanced Features would be step one: (https://docs.secureauth.com/display/KBA/Enable+Active+Directory+Advanced+Features)
          I don’t understand the second part of your question, but Exchange On-Prem is not mentioned in this article. So you would be better off asking that in a more appropriate blog/forum.

  5. COSTIN HUREZANU says:

    Hello Sam,

    You mentioned that, when one computer is enrolled by editing the local policies, the user who performed the changes must have an Intune license.
    What about for multiple devices? The user who create the GPO must have Intune licence assigned? Is this the case when the DEM account must be used?

    Many thanks for your article,

    Costin

    1. Sam Teerlinck says:

      Hi Costin,

      Great questions! I’ll do my best to answer them all:
      Most of this will all depend on how your Intune is set up.

      First of all, it is not necessary for the user who creates the GPO to have any kind of license/role other than local domain admin.
      It is only when you log in to devices that are affected by the GPO, that you will have to check licenses, roles and enrollment settings.

      You can check how your Intune is set up and how enrollment is managed, change/select who can enroll devices here.
      Since you are enrolling them with a GPO, they are considered as shared devices (see this link, and scroll down to the Important notification). There are also multiple available settings to set the enrollment amount maximum and only some apply to Hybrid Azure AD, so it can get complicated quite quickly. The maximum amount has also changed multiple times, but if I remember correctly it used to be a maximum of 5 per user and was increased to 15 at some point (someone correct me if I’m wrong). But again, since they are GPO enrolled ‘shared devices’, the limit will probably be higher. Also keep in mind that the user that enrolls the device will be considered it’s primary user. Which should generally be the user that the device has been assigned to (mainly to prevent confusion in the portal).
      The Device Enrollment Manager account can enroll a lot of devices but does give the enrolled device some restrictions (more info here).

      After that, make sure you have assigned the correct license(s) to the user so they can enroll.

      1. COSTIN HUREZANU says:

        The problem I face right now (and I cannot understand why) is that, despite the device performing the Hybrid Join flawlessly, its status in Azure AD is:
        – Joint type: Hybrid Azure AD Joined
        – Owner: N/A
        – MDM: None

        See, my expectations were that the user logged onto that computer during the Hybrid Join will become its “Owner”, as long as the license it’s assigned (“the user that enrolls the device will be considered it’s primary user”). But it is not the case.
        Further question then: maybe the GPO must enable device registration using “User credentials” instead of “Device credentials”? What’s happening when there are multiple user profiles already on the computer (i.e. a technician who installed the computer and then the assigned user), both with license?
        I just doesn’t seem right to me. What do I miss?

        Once more, thank you for your amazing article!

        1. Sam Teerlinck says:

          First of all sorry for the late reply, these last weeks have been quite chaotic.

          If your Hybrid Azure AD join is nog giving any issues, then I think the problem might be with your Intune enrollment settings. Maybe the user you are trying to enroll with does not have permission to actually enroll devices in Intune? Also try checking the Event Logs, maybe there you will find some more information about what is going wrong during the enrollment/hybrid join (you can find the troubleshooting guide with event logs etc. here). I have also never had to use user credentials GPO’s for my Hybrid joins… But about your question with multiple licensed users: To my knowledge, the first licensed user to log in to the device when the GPO is active will enroll the device. So profiles of other users will not matter there, even if they have a license. Afterwards you can switch between users and their settings will migrate with them, but the owner/primary user will always be the person who enrolled it (recently Microsoft made it available to change the primary user, check it out here).

          Hope this helped, I would appreciate it greatly if you could post your solutions here when you get them! Thanks in advance!

        2. Tor Marius says:

          Helo i have the same issue that you had. what did you end up with as a solution?

          1. denis says:

            i have the same problem but with windows server vms, i have also sccm co-management configured.

      2. Dev says:

        I want the schedule task to run at every 10 minutes. Is it possible?

  6. Richard Colebeck says:

    Hi Sam,
    Thanks for your blog, they validate how things ~should~ be working. However, like @Costin I’m stuck on the MDM GPO with regards to “User” or “Device” credentials.
    If my GPO is set to User, after a gpupdate /force, I’m notified about a “change my admin has made” (not exact wording as I don’t have that handy) and it prompts me to enter credentials (I use an account that has an Intune license) and the device is registered in MDM with that user being the primary user.
    If my GPO is set to Device, after a gpupdate /force, there is no notification and Event 76, Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002a) is logged in Event Viewer\Applications and Services Logs\Microsoft\Windows\DeviceManagement-Enterprise-Diagnostics-Provider\Admin event log.

    Any insight on User vs Device credentials?

    Cheers,
    Richard…

    1. Sam Teerlinck says:

      First of all sorry for the late reply, these last weeks have been quite chaotic.

      I personally do not have any experience with the new user/device credentials, though I have heard that the user credentials is the most similar to the one I am using here. In my experience, if the logged in user has the correct permissions and the correct license… your device should enroll without problems. Concerning your error (0x8018002a), after some quick research I found that it is probably Multi-Factor Authentication that is causing some problems. These are the two sources that I have found:

      AUTOENROLLMENT FAILS WITH UNKNOWN ERROR 0x80180001 & 0x8018002a
      Troubleshooting co-management: Auto-enroll existing Configuration Manager-managed devices into Intune

      Hope this helped, I would appreciate it greatly if you could post your solutions here when you get them! Thanks in advance!

  7. Darry says:

    Hello Sam,

    I have this situation:

    – System becomes Hybrid Azure-AD joined
    – System not configured to enroll into Intune MDM
    – System taken off on-premises network & using a normal home Internet connection
    – On-premises user account synced to Azure AD, but never logged into this system before. Account has EMS license

    Can the user log into the system using their Azure User Principal Name?

    Thanks.

    1. Sam Teerlinck says:

      Hi Darry,

      If during setup of Hybrid join you have used the same domain that you use locally to log in and all your Azure users have the same mail address/UPN, I don’t think there should be a problem. If the users have the same UPN as before (when they only worked locally) but now in Azure, you should be able to authenticate without problems (if I’m not mistaken)… Be sure to check what authentication method is used with your AD Sync (see this link) and enable single sign-on for your organization.

  8. jonatan says:

    Hello Sam,
    Excellent article, thank you.
    However i have a little problem with the deployement of the GPO.
    When the gpo is deployed via the server to the user pc, if the user in the receiving computer is a standard user (NOT admin) the gpo does not create the task to enroll the computer to intune
    However, if the user in the receiving computer is a local administrator of the computer, then the GPO which was deployed from the server is able to create a task for automatic intune hybrid enrollement.
    As i understand it, a gpo should deployed from the server should be able to run with administrative privileges.
    Do you have any idea on why this may be or if you already had this problem?

    Thank you in advance

    1. Sam Teerlinck says:

      In the Auto-enroll GPO, which credentials are you using? I would try it with both User and then with Device credentials and see if it is working with one of them.

      1. Goutham says:

        Hi Sam,

        Im using user credentials and only 70 devices out of 500 have enrolled automatically.do I need to change to device credentials in GPO to work on other devices??

  9. Mayank says:

    Hi Sam,
    I am facing one isse with auto enrollment please check case.

    Case :- Environment is HAAD and auto enrollment is enabled now i want to login on device with my AD ID and its getting enrolled but in this case if i want to login on se device with my AD ID and i do not want that device to be enrolled so is there any option to do the same?

    Thanks
    Mayank

    1. Sam Teerlinck says:

      If the user is a synced user, it doesn’t matter which login you use (local AD or AAD). But if the user is only in the local domain or only in the AAD, you will have to use the one that it is from. If you don’t want to enroll some devices/users, then exclude them from the GPO.

  10. Dan says:

    Hi,

    Thank you for good write up. I followed this and it worked with the specification that the local gpo need to be activated by local admin account and not domain admin account. Unclear for me at least.

    Question: Is it possible to enroll to Intune via Autopilot or else instead of being dependent to LAN/DC/GPO?

    1. Sam Teerlinck says:

      There are multiple ways to enroll in Intune that don’t require GPO’s. Autopilot deployment is also an option, and you can also Hybrid join with Autopilot.

      Here’s a summary of what the different Windows enrollment methods for Intune:
      https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods

  11. Sathish says:

    Devices are Hybrid joined but its not enrolled Intune.Also tested “dsregcmd /status” and the device shows Azure AD join – yes , Domain join – Yes & Azure AD PRT – NO.

    1. Sam Teerlinck says:

      Always give it some time, it usually takes a while before they get enrolled. After that, start troubleshooting through logs/Event Viewer:
      https://docs.microsoft.com/en-us/mem/intune/enrollment/troubleshoot-windows-auto-enrollment

  12. Chris Yue says:

    Excellent article Sam.

    Regarding Security Filtering with GPO I noticed that you have included Authenticated Users as well as a Machine Computer Group.

    I understand the need for the Machine Group (DLG_Computers) as the GPO is computer based but is it also essential to include Authenticated Users as by definition this includes user and computer accounts already.

    I was hoping assign this GPO to an OU that already includes devices enrolled in a 3rd party MDM we are migrating from. Hence the worry with using Authenticated Users.

    Not sure what the impact is on those already enrolled in an existing 3rd Party MDM.

    Also does the user need to be a local admin for the auto enrolment to work as well?

  13. Denis says:

    Hi there, Great Article!

    Is it really necessary to Add the GPO to the Computers instead of the Users? We have a UserGroup in place, which is tied to the EMS Licenses via Azure. It’s like a Pilot Group to test before Mass Rollout, there is no such Thing for their Computers. How would you target those Devices?

  14. Ankit says:

    Thanks a lot sam for the blog. It helped me find the way to get the right settings in GPO

  15. sk says:

    Hello Sam,

    Excellent article , much better than confusing MS articles, Simple and straight thanks for your efforts putting this simple.

    I have a question appreciate I hope you can help me clear it.

    1. Initially our Intune tenant was setup to register for MDM and MAM for all users.

    2. Users when they got their new device configured outlook (Users Mailboxes are in Office 365) and enabled MAM during profile setup.

    3. Later date we started a new project to Auto-enrollment-Hybrid-Join-MDM-Enrollment.

    4. On Intune Portal we see many devices listing for the same device

    Device join type is
    a.Azure AD registered
    b.Azure AD joined
    c.Hybrid Azure AD joined

    5. We realized and and close the gates on MAM user scope to enrollment
    and set MDM user scope to All – All users can automatically enroll their Windows 10 devices and thru GPO.

    6. Deployed the GPO on On-premises AD and linked the GPO to OU’s

    7. After GPupdate , we see the GPO was applied and the Schdtask was created

    8. We see the device is fetching SCP and reaching to Azure AD endpoint

    9. On Azure AD AAD portal under device (After ADConnect Sync), we see the device is listed as
    Hybrid Azure AD joined, but the MDM state shows as “Pending”, MDM enrollment was not successful.

    10. On-premise Device metadata shows the self sign user certificate and also the same is replicated to AZure AD via ADConnect.

    11. DSregcmd /status with user context, shows the device is reachable to DRS endpoint over the network, but looks like the device is failing DRS registration task

    So, the question I have is

    a. What does Pending state means in Intune portal
    b. Since the device was already registered for MAM and now trying to register to MDM, will their be any change of user certificate for DRS to register it ?
    c. How to confirm if the device is failing at DRS registration ( are their any eventlogs to comb on device)
    d. W/o DRS registration device will not enroll into MDM
    e. How to clean up the previous MAM registrations..

    I know it is a tall order , but appreciate if you can shed some light or at least share some links to go read. (MS documentation creates more confusion for an already confused )

  16. Vikram Patil says:

    Hello Sam, we have configured GPO correctly and my user Laptops is showing hybrid azure joined but owner and MDM is N/A.

    can you help on this issue ?

  17. Paco Garcia says:

    Hi Sam, I’m starting my way into Azure and Intune environment.

    After enroll my first device, I saw than the device name did not match with the real name on AD or Hybrid AAD, instead has taken the “management name” did you got any tip to solve this situation?

    I have a Hybrid AAD and the enrollment has been set in SCCM co-managemente and MDM-intune in AAD

    Thanks in advance for your help

  18. GSphere says:

    Hi Sam,

    for the task scheduler, it should be set with gpo or within the domain controller itself?

    second, can you tell us how to configure the task scheduler, I mean what to type on arguments like that?

  19. Dev says:

    Hello, I want the task scheduler to run every 10 minutes, is it possible. How can we do it??

  20. iotr2013 says:

    Device enrolled successfully visible in Azure Ad and Intune. However, the device can access the web page but not the desktop application.

    Anyone know how I can resolve this

  21. Jerin says:

    Hi Sam,
    We have a situation.
    We hired a vendor to image the machine and send to user (as a white glove machine). Once vendor setup the machine they will send us the machine details to check the machine got added to Intune, but it’s not getting enrolled(1st problem).And once user received the machines, they are seeing a defaultuser0 login screen(2nd problem). Steps I follow to rectify this;
    1. I will initiate a sync and wait for 30 minutes(no luck).
    2. Autopilot reset (sometimes helps)
    3. Doing a hard reset(mostly resolve the issue) and device will get enrolled.

    As far as my understanding, the deployment profile should be assigned properly and device should be enrolled before user receives the machine.

    Do you have any comment on this?

    Thanks in advance

  22. Matt says:

    Thanks so much for this. I have managed to join devices via Local Policy and Group Policy.
    How do I get these devices joined that are not connected using Hybrid Azure AD connected? So a Win10 computer that authenticates direct to Azure and not via a local Domain (Hybrid Azure AD)?
    Thanks.

  23. Vipul Shah says:

    currently have a Hybrid domain setup with hybrid join configured for their devices with Azure AD. The current devices rely on an on-premise Active Directory server which we want to move to Azure AD and remove the reliance on the on-premise server environment for device management. We want to setup the foundations required to move device management solely to Azure AD which will provide a more robust and resilient infrastructure. This will also setup for greater cloud adoption in the future by allowing for an easier transition to Azure AD for full identity management.

    In addition, we want to setup and configure AutoPilot for machine deployment and also build the required infrastructure to manage 3rd party application patching.

    Once the required configurations are complete, all devices will authenticate and managed by Azure AD/Intune and User authentication will still be managed by local AD. However, password writeback will be setup in order for users to manage identity via Azure AD such as ‘self-service password reset’. Devices will still need line of sight of local AD for first time logins in order to establish authentication of users.

  24. James says:

    Excellent writeup. Thank you for the information.

  25. Renfel says:

    Hello Sam,
    This is really great and straight forward. We have a Hybrid setup too but we didnt setup the GPO yet, instead we modify the local security policy and enable the auto enrollment (not sure if that matters) but the device is still not registering.

  26. gary smith says:

    Good work!

  27. Lisa Phuong says:

    I’m not sure if this topic is still open or not, but any helps is appreciated. I have an issue that our devices only showing up in AAD but not in Intune. The device synced to my azure from my domain (Hybrid Azure AD) and I’m looking to add it to Intune for windows autopilot. Please help. Thank you

  28. john says:

    does it requires the windows device to be line-of-sight to domain controller?

Leave a Reply

Your email address will not be published. Required fields are marked *