Forum Discussion

StuartK73's avatar
StuartK73
Iron Contributor
Aug 21, 2019

Intune Enrollment via GPO User eXperience

Hi All   I have successfully setup Hybrid Azure AD Join and I have implemented Auto-enrollment into Intune via GPO.   However, on my test user(s) I'm still getting MDM status = None.   Can anyo...
Intune
Mobile Device Management (MDM)
ambarishrh's avatar
ambarishrh
Iron Contributor

StuartK73 I had similar issues with on my tenant where devices will show in Azure AD Devices as Hybrid Azure AD Join but not in All Devices and the MDM state is shown as none. The fix for my case was to set 2 GPO policy settings (As per MS Support, the first device registration policy adds the device to Azure AD and MDM part enrolls the device to intune, and we need to have both to get the devices fully managed via intune/MDM)

 

 

 

If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps:

  1. Download:
    1803 -->Administrative Templates (.admx) for Windows 10 April 2018 Update (1803) or
    1809 --> Administrative Templates for Windows 10 October 2018 Update (1809).
  2. Install the package on the Primary Domain Controller (PDC).
  3. Navigate, depending on the version to the folder: 1803 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2, or
    1809 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2
  4. Copy policy definitions folder to C:\Windows\SYSVOL\domain\Policies.
  5. Restart the Primary Domain Controller for the policy to be available. This procedure will work for any future version as well.
Chris-Yue's avatar
Chris-Yue
Iron Contributor
Sep 11, 2020

ambarishrh 

StuartK73 

 

My environment is as follows:-

On Premise AD 

Hybrid Azure AD Joined devices using AD Connect

 

I was also facing the same situation where the status of the MDM was None rather than Microsoft Intune for my Windows 10 devices.

 

Ambarish I followed that extra step to Register domain joined computers as devices and now it seem to work. I would why this setting is needed given the device is already Hybrid Azure AD Joined?

 

Previously I did get this to work but only when the device was line of sight to my on premise AD. i.e. in the office.  So I thought that was just the limitation of auto enrolment.

 

Because all my users are now WFH due for COVID I will need to try this with some other devices but it now looks more positive. 

 

 

  • almarlibetario's avatar
    almarlibetario
    Brass Contributor
    Sep 11, 2020

    Chris-Yue It is actually required as part of the GPO Policy for Hybrid-joined devices. It should be worth noting that when configuring GPO for devices, you only need to change Computer Config policies and never duplicate the same policy on the User Config.

    Here's a preview of mine.

    • Chris-Yue's avatar
      Chris-Yue
      Iron Contributor
      Sep 11, 2020

      almarlibetario 

       

      Thanks for the tip.

      On the articles I have seen, I saw reference to Enable automatic MDM enrolment using default Azure Ad but not the device registration one.

       

      Another thing I have noticed is the following.

       

      Where a user picture has been assigned to Office 365, which is visible in office.com and mobile apps, should this  appear on Windows 10 devices at the login screen?

       

      I got this once, but since retiring the device and re-enrolling again, I don't see it anymore.

       

Share

Resources