WVD - Intune Auto enrolment for AAD only organisation

%3CLINGO-SUB%20id%3D%22lingo-sub-2438597%22%20slang%3D%22en-US%22%3EIntune%20Auto%20enrolment%20for%20AAD%20only%20organisation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2438597%22%20slang%3D%22en-US%22%3E%3CP%3EHi%20All%2C%20been%20going%20round%20in%20circles...%20since%20we%20are%20completely%20Azure%20AD%20organisation%2C%20been%20told%20that%20we%20cannot%20do%20Intune%20Auto-enrolment%20for%20our%20WVD%20devices%3F%20Been%20pointed%20to%20articles%20that%20devices%20need%20to%20be%20hybrid%20AAD%20joined%20and%20since%20we%20don't%20have%20on-prem%20AD%20its%20not%20possible.%3C%2FP%3E%3CP%3EAny%20thoughts%20on%20how%20we%20can%20achieve%20Intune%20Auto-enrolment%20pls%3F%26nbsp%3B%3C%2FP%3E%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2438626%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20-%20Intune%20Auto%20enrolment%20for%20AAD%20only%20organisation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2438626%22%20slang%3D%22en-US%22%3EYou%20should%20be%20able%20to%20use%20Group%20Policy%20to%20do%20it%3A%3CBR%20%2F%3E%3CBR%20%2F%3E%3CA%20href%3D%22https%3A%2F%2Fwww.anoopcnair.com%2Fwindows-10-intune-enrollment-using-group-policy-automatic-enrollment-wvd%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.anoopcnair.com%2Fwindows-10-intune-enrollment-using-group-policy-automatic-enrollment-wvd%2F%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EAssuming%20you%20are%20running%20Azure%20Active%20Directory%20Domain%20Services%2C%20you%20can%20still%20configure%20GPO%20etc%20on%20it%2C%20you%20just%20need%20a%20'utility%20box'%20to%20be%20joined%20to%20the%20same%20network%2C%20domain%20as%20the%20ADDS%20domain%20as%20WVD%20and%20you%20can%20create%20the%20GPOs%20and%20deploy%20it%20to%20the%20WVD%20(sorry%20Azure%20Virtual%20Desktop)%20boxes.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2438631%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20-%20Intune%20Auto%20enrolment%20for%20AAD%20only%20organisation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2438631%22%20slang%3D%22en-US%22%3EThanks%20Luke%20for%20a%20quick%20response.%20Do%20you%20have%20any%20blogs%20or%20articles%20on%20configuring%20GPO%20on%20ADDS%20pls%3F%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2438651%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20-%20Intune%20Auto%20enrolment%20for%20AAD%20only%20organisation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2438651%22%20slang%3D%22en-US%22%3EHere%20the%20Microsoft%20article%3A%20%3CA%20href%3D%22https%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fmanage-group-policy%22%20target%3D%22_blank%22%20rel%3D%22noopener%20noreferrer%22%3Ehttps%3A%2F%2Fdocs.microsoft.com%2Fen-us%2Fazure%2Factive-directory-domain-services%2Fmanage-group-policy%3C%2FA%3E%3CBR%20%2F%3E%3CBR%20%2F%3EEssentially%20you%20need%3A%3CBR%20%2F%3E*%20A%20Windows%20Server%20management%20VM%20that%20is%20joined%20to%20the%20Azure%20AD%20DS%20managed%20domain%2C%20in%20the%20same%20network%20as%20ADDS.%3CBR%20%2F%3E*%20Group%20Policy%2FAD%20Management%20tools%20installed%20and%20you%20can%20use%20that%20to%20create%2Fmodify%20the%20policies%20etc.%3CBR%20%2F%3E%3CBR%20%2F%3EAn%20added%20note%2C%20is%20that%20the%20utility%20box%20can%20be%20shutdown%20when%20not%20needed%20to%20save%20on%20cost.%3C%2FLINGO-BODY%3E%3CLINGO-SUB%20id%3D%22lingo-sub-2438653%22%20slang%3D%22en-US%22%3ERe%3A%20WVD%20-%20Intune%20Auto%20enrolment%20for%20AAD%20only%20organisation%3C%2FLINGO-SUB%3E%3CLINGO-BODY%20id%3D%22lingo-body-2438653%22%20slang%3D%22en-US%22%3EHeres%20another%20good%20post%3A%20%3CA%20href%3D%22https%3A%2F%2Fwww.robinhobo.com%2Fhow-to-implement-and-manage-azure-ad-domain-services-azure-ad-ds-for-a-fast-windows-virtual-desktop-wvd-poc-deployment%2F%22%20target%3D%22_blank%22%20rel%3D%22nofollow%20noopener%20noreferrer%22%3Ehttps%3A%2F%2Fwww.robinhobo.com%2Fhow-to-implement-and-manage-azure-ad-domain-services-azure-ad-ds-for-a-fast-windows-virtual-desktop-wvd-poc-deployment%2F%3C%2FA%3E%3C%2FLINGO-BODY%3E
Occasional Contributor

Hi All, been going round in circles... since we are completely Azure AD organisation, been told that we cannot do Intune Auto-enrolment for our WVD devices? Been pointed to articles that devices need to be hybrid AAD joined and since we don't have on-prem AD its not possible.

Any thoughts on how we can achieve Intune Auto-enrolment pls? 

8 Replies
You should be able to use Group Policy to do it:

https://www.anoopcnair.com/windows-10-intune-enrollment-using-group-policy-automatic-enrollment-wvd/

Assuming you are running Azure Active Directory Domain Services, you can still configure GPO etc on it, you just need a 'utility box' to be joined to the same network, domain as the ADDS domain as WVD and you can create the GPOs and deploy it to the WVD (sorry Azure Virtual Desktop) boxes.
Thanks Luke for a quick response. Do you have any blogs or articles on configuring GPO on ADDS pls?
Here the Microsoft article: https://docs.microsoft.com/en-us/azure/active-directory-domain-services/manage-group-policy

Essentially you need:
* A Windows Server management VM that is joined to the Azure AD DS managed domain, in the same network as ADDS.
* Group Policy/AD Management tools installed and you can use that to create/modify the policies etc.

An added note, is that the utility box can be shutdown when not needed to save on cost.
Brilliant! Thanks a ton Luke :)
Good luck and have fun! Just make sure you are using an account that is a member of the Azure Active Directory 'AAD DC Administrators' group for rights to make changes etc.

@Luke Murray This information is incorrect. You cannot currently Azure Domain Join an Win10 AVD/WVD to cloud only Azure Domain Services. If you are using Azure Domain Services, the AVD correctly reports as being domain joined, and therefore the only way that the GPO will work is if Azure AD Connect is deployed on the domain controllers, which is not possible with Azure Domain Services (AAD DS).

It looks like this was fixed recently. Not sure what I did exactly, but after completing the AzureAD's Mobility MDM setup and Intune's Auto Enrollment setup then all of a suddent new WVD creation had an option to enroll into Intune. First two WVDs that were created did not enroll and I could not enroll via Company Portal or Auto Enrollment, but after the two mentioned setups the 3rd had the option and shows in Intune. Hope that helps.