Event banner
Event details
Hello. I have a question regarding Intune Enrollment via GPO: Is it possible to enroll Windows 10 devices using a GPO configured using Device Credentials instead of User Credentials? We don't want to wait for users to have to sign in to begin deploying applications/settings, and we are converting existing AD bound workstations in our users' absence into Intune management. All of our efforts to enroll devices with this configuration have met with failure, throwing error 0x80180001 with Event ID 76 in the DeviceManagement-Enterprise-Diagnostics-Provider logs.
The article here https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy
states that Device Credentials are not supported for environments without Configuration Manager, or Azure Virtual Desktop. Is this in fact the case? There is lots of conflicting/confusing information out there, such as in these threads:
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/4828
https://github.com/MicrosoftDocs/windows-itpro-docs/issues/5543
Haven't been able to figure this out for years myself.
- EricOrman
Microsoft
Device credential is not supported when performing GPO enrollments into MEM/Intune, it is actually blocked at the Intune service. Only user credential is supported when perform GPO enrollments, which also means you need to assign Intune license to your users also. https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy, see the big bold purple comment on step #5.- OK. I wanted to verify if that is indeed the case. Well that is really too bad--I was hoping otherwise. Thank you for clearing that up. Is there a better way to enroll an existing workstation when a user is not around to sign in themselves, that will enable applications to install before they have a chance to use it again? We are servicing AD-bound desktops that have been out of use by folks for over a year and we want to bring them into compliance. Our efforts so far have looked at a few methods: -Deep link enrollment(device management only) with a service account: results in the Intune Management Extension not being installed, so Powershell scripts and Win32 apps do not deploy. -Provisioning Package(Bulk Enrollment): results in the IME being installed, Powershell Scripts do run, but Win32 Apps do not deploy. The IME log states that the agent is looking for an AAD token at the user level and refuses to install any apps. I assume it will install the applications once an AAD-eligible user signs in, but we're again at the problem of requiring user presence. After all of this I am considering using a service account with Device Enrollment Manager permissions(to get around the enrollment limit) to sign into a mass number of HAADJ machines, that way at least the systems will get all of their apps/scripts run before people come back to work on site. Would this work?
- ChrisKunze-MSFTQuestion on this: "-Provisioning Package(Bulk Enrollment): results in the IME being installed, Powershell Scripts do run, but Win32 Apps do not deploy. The IME log states that the agent is looking for an AAD token at the user level and refuses to install any apps." A ppkg should enroll the device as userless. Any apps and/or settings that are assigned the device should be applied before the device is logged into. Are you sure the Win32 apps are not getting installed?
- How does white glove AutoPilot handle this scenario? Doesn't that process enroll to download settings / apps before final hand-off to user? Is there a similar way to do that without AutoPilot? Can't hand a student a machine and say wait for it to download Microsoft 365 apps. It needs to be good to go as soon as it is handed to them.
- ChrisKunze-MSFTWhite glove will only apply settings or apps applied to the device unless a user is specified.
