Intune Enrollment via GPO User eXperience

Iron Contributor

Hi All

 

I have successfully setup Hybrid Azure AD Join and I have implemented Auto-enrollment into Intune via GPO.

 

However, on my test user(s) I'm still getting MDM status = None.

 

Can anyone tell me what the User eXperience should be for this type of Intune Enrollment?

 

Does the User get prompted to sign in or anything?

 

Info appreciated

10 Replies

@Stuart King Could you please share some more information about your setup?

 

  1. What GPO settings did you apply?
  2. Is this not working for any machines that's joined to local AD?

When you set the gpo for device enrollment, the end machine will need to reboot and login. Once logged in, if you go to windows settings, you should see an info button on the work or school account which confirms that your machine is joined to Hybrid Azure AD.

 

Another way to check is to run the command dsregcmd /status.

More troubleshooting steps: https://docs.microsoft.com/en-us/azure/active-directory/devices/troubleshoot-hybrid-join-windows-cur...

@Ambarish RH 

 

Yes, the machines are showing as Hybrid Azure AD Join but not as enrolled in Intune.

 

Stuart

@Stuart King I had similar issues with on my tenant where devices will show in Azure AD Devices as Hybrid Azure AD Join but not in All Devices and the MDM state is shown as none. The fix for my case was to set 2 GPO policy settings (As per MS Support, the first device registration policy adds the device to Azure AD and MDM part enrolls the device to intune, and we need to have both to get the devices fully managed via intune/MDM)

 

clipboard_image_0.png

 

clipboard_image_0.png

 

If you do not see the policy, it may be because you don’t have the ADMX installed for Windows 10, version 1803 or version 1809. To fix the issue, follow these steps:

  1. Download:
    1803 -->Administrative Templates (.admx) for Windows 10 April 2018 Update (1803) or
    1809 --> Administrative Templates for Windows 10 October 2018 Update (1809).
  2. Install the package on the Primary Domain Controller (PDC).
  3. Navigate, depending on the version to the folder: 1803 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 April 2018 Update (1803) v2, or
    1809 --> C:\Program Files (x86)\Microsoft Group Policy\Windows 10 October 2018 Update (1809) v2
  4. Copy policy definitions folder to C:\Windows\SYSVOL\domain\Policies.
  5. Restart the Primary Domain Controller for the policy to be available. This procedure will work for any future version as well.

@Ambarish RH 

 

That's very interesting, using the 2 GPO's.

 

I had that setup already, then removed the Device Registration one as I was advised that this was NOT needed for Hybrid Azure AD Join, as all domain devices register as Hybrid Azure AD Join once AADC has been configured this way.

 

I will re-implement the Device Registration policy and keep you posted.

 

Thanks again 

@Ambarish RH 

@Stuart King 

 

My environment is as follows:-

On Premise AD 

Hybrid Azure AD Joined devices using AD Connect

 

I was also facing the same situation where the status of the MDM was None rather than Microsoft Intune for my Windows 10 devices.

 

Ambarish I followed that extra step to Register domain joined computers as devices and now it seem to work. I would why this setting is needed given the device is already Hybrid Azure AD Joined?

 

Previously I did get this to work but only when the device was line of sight to my on premise AD. i.e. in the office.  So I thought that was just the limitation of auto enrolment.

 

Because all my users are now WFH due for COVID I will need to try this with some other devices but it now looks more positive. 

 

 

@Stuart King I have these problems every time. what I did is to run dsregcmd /status and see if the AzureADPRT value is NO. then if the value is NO, reboot the machine and login using the O365 account UPN (sample@contoso.com). It doesn't matter if it is the same with the on-premise AD UPN but you need to type the whole UPN name as login.  It will create a new profile and then go to work or school account and click on info. Once all the progress is successful, run the dsregcmd /status command again and see if the AzureADPRT value has changed.

Note: do not run cmd as administrator if you are applying the policy per user basis not on per device.

 

Also check the task scheduler of the affected machine. A successful Hybrid-joined device will automatically create a scheduled task. Also, check the event viewer for errors.

 

Hope this helps.

@Chris Yue It is actually required as part of the GPO Policy for Hybrid-joined devices. It should be worth noting that when configuring GPO for devices, you only need to change Computer Config policies and never duplicate the same policy on the User Config.

Here's a preview of mine.

Manual Policy configured.jpg

@almarlibetario 

 

Thanks for the tip.

On the articles I have seen, I saw reference to Enable automatic MDM enrolment using default Azure Ad but not the device registration one.

 

Another thing I have noticed is the following.

 

Where a user picture has been assigned to Office 365, which is visible in office.com and mobile apps, should this  appear on Windows 10 devices at the login screen?

 

I got this once, but since retiring the device and re-enrolling again, I don't see it anymore.

 

@Stuart King 

 

  1. Verify that the user who is going to enroll the device has a valid Intune license.
  2. Make sure that your auto-enrollment (MDM user scope to "All") settings are configured under Microsoft Intune instead of Microsoft Intune Enrollment.
  3. Verify that the Enable Automatic MDM enrollment using default Azure AD credentials group policy   (Computer Configuration > Policies > Administrative Templates > Windows Components > MDM) is properly deployed to all devices which should be enrolled into Intune.
  4. Verify that Microsoft Intune should allow enrollment of Windows devices (Device enrollment restrictions in Endpoint Manager portal)

 

I recently had another instance where the AzureAdPrt was NO, an MS support agent gave me the following steps:

1) whoami /upn Run the command in commad prompt UPN should be same in cloud .

 

 2) Add the URL in IE

 

2020-09-17 23_38_32-Window.png

 

·  https://enterpriseregistration.windows.net

·  https://login.microsoftonline.com

·  https://device.login.microsoftonline.com

·  https://autologon.microsoftazuread-sso.com

 

3)      Open task scheduler(AS admin )> Microsoft>Windows> Work place join>right click on “Auto work place join” and make sure it is in “running” state.

4)      Then re-start machine and run dsregcmd /status , check for Azure prt status.

5)      dsregcmd /debug /leave in admin mode.

6)      Once machine up run dsregcmd /debug /join in admin mode.