Intune Enrollment via GPO User eXperience

Question

Hi All&nbsp;I have successfully setup Hybrid Azure AD Join and I have implemented Auto-enrollment into Intune via GPO.&nbsp;However, on my test user(s) I'm still getting MDM status = None.&nbsp;Can anyone tell me what the User eXperience should be for this type of Intune Enrollment?&nbsp;Does the User get prompted to sign in or anything?&nbsp;Info appreciated

stuartk73 · Answer

ambarishrh&nbsp;&nbsp;That's very interesting, using the 2 GPO's.&nbsp;I had that setup already, then removed the Device Registration one as I was advised that this was NOT needed for Hybrid Azure AD Join, as all domain devices register as Hybrid Azure AD Join once AADC has been configured this way.&nbsp;I will re-implement the Device Registration policy and keep you posted.&nbsp;Thanks again&nbsp;

chris-yue · Answer

ambarishrh&nbsp;StuartK73&nbsp;&nbsp;My environment is as follows:-On Premise AD&nbsp;Hybrid Azure AD Joined devices using AD Connect&nbsp;I was also facing the same situation where the status of the MDM was None rather than Microsoft Intune for my Windows 10 devices.&nbsp;Ambarish I followed that extra step to Register domain joined computers as devices and now it seem to work. I would why this setting is needed given the device is already Hybrid Azure AD Joined?&nbsp;Previously I did get this to work but only when the device was line of sight to my on premise AD. i.e. in the office.&nbsp; So I thought that was just the limitation of auto enrolment.&nbsp;Because all my users are now WFH due for COVID&nbsp;I will need to try this with some other devices but it now looks more positive.&nbsp;&nbsp;&nbsp;

ambarishrh · Answer

StuartK73&nbsp;Could you please share some more information about your setup?&nbsp;What GPO settings did you apply?Is this not working for any machines that's joined to local AD?When you set the gpo for device enrollment, the end machine will need to reboot and login. Once logged in, if you go to windows settings, you should see an info button on the work or school account which confirms that your machine is joined to Hybrid Azure AD.&nbsp;Another way to check is to run the command dsregcmd /status.More troubleshooting steps:&nbsp;https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-current

stuartk73 · Answer

ambarishrh&nbsp;&nbsp;Yes, the machines are showing as Hybrid Azure AD Join but not as enrolled in Intune.&nbsp;Stuart

ambarishrh · Answer

StuartK73&nbsp;I had similar issues with on my tenant where devices will show in Azure AD Devices as Hybrid Azure AD Join but not in All Devices and the MDM state is shown as none. The fix for my case was to set 2 GPO policy settings (As per MS Support, the first device registration policy adds the device to Azure AD and MDM part enrolls the device to intune, and we need to have both to get the devices fully managed via intune/MDM)&nbsp;&nbsp;&nbsp;If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps:Download:1803 --&gt;https://www.microsoft.com/en-us/download/details.aspx?id=56880 or1809 --&gt; https://www.microsoft.com/en-us/download/details.aspx?id=57576.Install the package on the Primary Domain Controller (PDC).Navigate, depending on the version to the folder: 1803 --&gt; C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2, or1809 --&gt; C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2Copy policy definitions folder to C:\Windows\SYSVOL\domain\Policies.Restart the Primary Domain Controller for the policy to be available. This procedure will work for any future version as well.

Forum Discussion

Intune Enrollment via GPO User eXperience

10 Replies

Resources