Hybrid Azure AD join – Part two: automatic enrollment in Intune
Welcome to the second part of our Hybrid Azure AD join guide. If you have missed our first part, where we explain what Hybrid Azure AD join actually is and how to set it up, be sure to check it out here!
Before we start, make sure you set up Intune environment to accept automatic enrollment (licensing & MDM scope).
Let’s get right into it. Now that our W10 device is registered as a Hybrid Azure AD joined device, we can start doing stuff with it. In order to start managing this device via Intune, it must be enrolled first. This can be done manually but since we are professional computer geeks (and a bit lazy), we want this done automatically. Let’s start by testing this on a single device.
Testing for a single device
To give our Hybrid Azure AD joined device a trial by fire, we will edit its local group policies to automatically enroll into Intune.
First of all start by hitting Windows + R (opening the Run window) and type gpedit.msc.
To run this command, you need to be logged in as the administrator.
We are now in the Local Group Policy Editor.
Go to Computer Configuration > Administrative Templates > Windows Components > MDM.
Here you will find two settings, of which we select the first one.
Set Enable automatic MDM enrollment using default Azure AD credentials to Enabled.
As a result, enabling this will create scheduled task that will run every 5 minutes after creation.
Important note! For this created task to be succesful, you will need to log in with a licensed user. More specifically, an EMS licensed user (automatic enrollment requires an AzureAD + Intune license).
To see this task (and troubleshoot it if needed) we will open the Task Scheduler application.
In this app, go to Microsoft > Windows > EnterpriseMgmt. There you can find the task that you created.
In the ‘Last Run Result’ of the task, you can find error codes that may appear when it tries to run.
If you get error 0x80180018, then you have a licensing issue. Either you didn’t log in to the correct user, or you have not assigned the license correctly.
To now check if the task has completed and did its job, we will go to the Intune portal.
Under Devices we are able to see our enrolled W10 (this can take a few minutes, so be patient).
You can also see this by going to the Account settings of Windows. There, under Access work or school, you can see the synchronization with the Active Directory and Intune. If you can’t see the ‘Info‘ button, it means the device didn’t fully enroll yet.
Testing for multiple devices
Even though our first test was a success, we still have some work to do. The method we previously employed is not very useful in most scenarios. You still have to manually enable the local policy on each device, which is a tedious task.
This is why we are now going to do the exact same thing, but for a group of devices. If we would later add new devices to that group, then it would automatically enroll (which is the main goal of this guide). We’re not using local policies for this so we need to access our domain controller and create a GPO.
Edit the new GPO that you created and go to Computer Configuration > Policies > Administrative Templates > Windows Components > MDM. This is similar to the local policy we edited earlier.
If, like me, you don’t see the ‘Enable automatic MDM enrollment using default Azure AD credentials‘ setting (only ‘Disable MDM Enrollment’), do the following:
- Search for ‘Administrative Templates (.admx) for Windows 10’ in your preffered search engine.
- Click the result that leads to the official Microsoft website (e.g. www.microsoft.com/en-us/download/…).
- Download the .msi file from their website and run it (which will install the .admx files).
- Go to the location where you just installed the Administrative Templates (default: C:\Program Files (x86)\Microsoft Group Policy\…\PolicyDefinitions)
- Copy the .admx files + at least one or more language folders (based on what language your Domain Controller is)
- Paste them in \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (change ‘domain.com’ to your own domain name)
You might have to create the folder PolicyDefinitions if it doesn’t already exist. If you already have a folder with .admx files in there, just copy the MDM.admx and the MDM.adml from the language folder and overwrite them with the existing ones.
Now you should be able to see the setting we mentioned before, Enable it.
In newer version you might see some extra settings in this GPO (User Credentials and Device Credentials). From what I have read, the User Credentials setting is the most similar to the one that is used here so I recommend using that. But if you experience issues with joining, switching to Device Credentials might be a solution.
Be sure to link this policy to the correct Organizational Unit in which your devices are located. You can then filter the GPO to only apply to the Computers group.
Open the Command Prompt and type gpudate /force to get your policies to apply faster.
After that, you can go back to our previous tests to check if a device enrolled properly (Intune portal or Access work or school).
Now you are able to unleash to power of Intune on your Hybrid Azure AD joined devices!
Stay tuned for future blogs on Intune, which are now more interesting than ever considering we just added new devices to manage and control.
I joined Orbid after finishing my bachelors degree of New Media and Communication Technology at Howest Kortrijk. As a System Engineer I focus on Microsoft 365 technologies (Azure AD, EMS, Intune, AIP, MCAS…), this way I am able to fully develop my skills and interests in Cloud & Security.