Forum Discussion
Enroll W10 devices automatically using Group Policy
Hello GoodNightVienna!
I recommend that you use this command to view the policies applied to a device (run from local device):
- Start CMD/PowerShell as an admin
- Run: RSOP.msc
- Navigate to the specific location as per your need
As you are using Group Policies to enroll your devices I assume that you want your devices to be hybrid Azure AD-joined.
- Are you using Azure AD Connect to sync your devices to Azure AD?
- Are you synchronizing correct OU's in AD?
- Are all the failing devices Windows 10 or do you have any down-level devices (W7, W8, W8.1)?
I recommend below as part of your troubleshoot:
- Find a failing device in Azure AD and have a look at the "Registered" column. If you do not have a timestamp in the column, this would be your main issue which will mess up the MDM-enrollment as well.
- Have a look at this article to find more info about how you could troubleshoot the Azure AD Hybrid-Join issue: https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
- Make sure that the MDM automatic enrollment settings are set correctly: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility
- Make sure that your end-users has an Intune license assigned
Have a look at above and let us know if you require further help. I am happy to help.
//Nicklas
Hello GoodNightVienna!
I recommend that you use this command to view the policies applied to a device (run from local device):
- Start CMD/PowerShell as an admin
- Run: RSOP.msc
- Navigate to the specific location as per your need
As you are using Group Policies to enroll your devices I assume that you want your devices to be hybrid Azure AD-joined.
- Are you using Azure AD Connect to sync your devices to Azure AD?
- Are you synchronizing correct OU's in AD?
- Are all the failing devices Windows 10 or do you have any down-level devices (W7, W8, W8.1)?
I recommend below as part of your troubleshoot:
- Find a failing device in Azure AD and have a look at the "Registered" column. If you do not have a timestamp in the column, this would be your main issue which will mess up the MDM-enrollment as well.
- Have a look at this article to find more info about how you could troubleshoot the Azure AD Hybrid-Join issue: https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current
- Make sure that the MDM automatic enrollment settings are set correctly: https://portal.azure.com/#blade/Microsoft_AAD_IAM/ActiveDirectoryMenuBlade/Mobility
- Make sure that your end-users has an Intune license assigned
Have a look at above and let us know if you require further help. I am happy to help.
//Nicklas
Hi NicklasAhlberg!
Thank you very much for your reply. I ran the command mentioned in your reply and saw what I wanted to see! It is indeed ‘Enabled’ and I am happy
I didn’t mention in my original post but I can confirm that
• Our test devices are hybrid Azure-AD joined (when we ran dsregcmd /status, under Device State, we can see AzureADJoined:Yes, DomainJoined:Yes)
• OUs are synced to Azure AD (my successfully enrolled laptop is in the same OU as the failing ones)
• All the test devices are W10 1909 or later
• EMS E3 licence is assigned to the test users
• Auto-enrollment is activated for those users who are going to enroll the devices into Intune
• Azure AD allows the logon user to enroll devices
• The MDM discovery URL during auto-enrollment is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
• Microsoft Intune allows enrollment of Windows devices (Enrollment restriction only applies on personal)
• Auto-enrollment settings are configured under Microsoft IntuneError findings
Device 1
AzureAdPrt> No (however, KeySignTest= PASSED)
There are two entries in Azure portal> Devices
1. Join type= Azure AD registered, Registered 3/4/2020
2. Join type= Hybrid Azure AD joined, owner = N/A, Registered= Pending
Event viewer> ID76 Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002b)
Device 2
Join type= Hybrid Azure AD joined, owner = N/A, Registered 9/6/2019, Activity=3/15/2021
Event Viewer> ID76 Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x8018002b)
Device 3
AzureAdPrt> No
No entry in Azure Portal> Devices. All other devices in the same OU appear in Azure AD as Hybrid Joined but not this one!
If you have any ideas to fix the issues above, I would really appreciate it. Thank you!Hello!
- Click both "restore" buttons and make sure that the logged on users on the failing devices are part of the "some"/allowed group. This issue usually occur due to a combination of the users not being allowed to join devices to AAD and a faulty setup of Azure AD Connect.
- Windows 10-1803 did not consolidate device object when they went from registered to being join/hybrid joined. It is usually OK to delete the wrong device from AAD manually.
