Forum Discussion

StuartK73's avatar
StuartK73
Iron Contributor
Aug 21, 2019

Intune Enrollment via GPO User eXperience

Hi All   I have successfully setup Hybrid Azure AD Join and I have implemented Auto-enrollment into Intune via GPO.   However, on my test user(s) I'm still getting MDM status = None.   Can anyo...
Intune
Mobile Device Management (MDM)
ambarishrh's avatar
ambarishrh
Iron Contributor
Sep 09, 2019

StuartK73 I had similar issues with on my tenant where devices will show in Azure AD Devices as Hybrid Azure AD Join but not in All Devices and the MDM state is shown as none. The fix for my case was to set 2 GPO policy settings (As per MS Support, the first device registration policy adds the device to Azure AD and MDM part enrolls the device to intune, and we need to have both to get the devices fully managed via intune/MDM)

 

 

 

If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps:

  1. Download:
    1803 -->Administrative Templates (.admx) for Windows 10 April 2018 Update (1803) or
    1809 --> Administrative Templates for Windows 10 October 2018 Update (1809).
  2. Install the package on the Primary Domain Controller (PDC).
  3. Navigate, depending on the version to the folder: 1803 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2, or
    1809 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2
  4. Copy policy definitions folder to C:\Windows\SYSVOL\domain\Policies.
  5. Restart the Primary Domain Controller for the policy to be available. This procedure will work for any future version as well.
StuartK73's avatar
StuartK73
Iron Contributor
Sep 09, 2019

ambarishrh 

 

That's very interesting, using the 2 GPO's.

 

I had that setup already, then removed the Device Registration one as I was advised that this was NOT needed for Hybrid Azure AD Join, as all domain devices register as Hybrid Azure AD Join once AADC has been configured this way.

 

I will re-implement the Device Registration policy and keep you posted.

 

Thanks again 

  • alexandertuvstrom's avatar
    alexandertuvstrom
    Brass Contributor
    Sep 11, 2020

    StuartK73 

     

    1. Verify that the user who is going to enroll the device has a valid Intune license.
    2. Make sure that your auto-enrollment (MDM user scope to "All") settings are configured under Microsoft Intune instead of Microsoft Intune Enrollment.
    3. Verify that the Enable Automatic MDM enrollment using default Azure AD credentials group policy   (Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is properly deployed to all devices which should be enrolled into Intune.
    4. Verify that Microsoft Intune should allow enrollment of Windows devices (Device enrollment restrictions in Endpoint Manager portal)

     

    • ambarishrh's avatar
      ambarishrh
      Iron Contributor
      Sep 17, 2020

      I recently had another instance where the AzureAdPrt was NO, an MS support agent gave me the following steps:

      1) whoami /upn Run the command in commad prompt UPN should be same in cloud .

       

       2) Add the URL in IE

       

       

      ·  https://enterpriseregistration.windows.net

      ·  https://login.microsoftonline.com

      ·  https://device.login.microsoftonline.com

      ·  https://autologon.microsoftazuread-sso.com

       

      3)      Open task scheduler(AS admin )> Microsoft>Windows> Work place join>right click on “Auto work place join” and make sure it is in “running” state.

      4)      Then re-start machine and run dsregcmd /status , check for Azure prt status.

      5)      dsregcmd /debug /leave in admin mode.

      6)      Once machine up run dsregcmd /debug /join in admin mode.

       

Resources