Group Policy-Enrolling a device in Microsoft Intune

Group Policy-Enrolling a device in Microsoft Intune

Enrollment using group policy method in Microsoft Intune is a way to automatically enroll Windows 10 or Windows 11 devices in Intune by using Group Policy. This method is useful when you want to enroll multiple devices in Intune without having to manually configure each device individually. When a device is joined to the domain and the GPO is applied, the device will automatically enroll in Intune .It is particularly useful for organizations that want to enroll a large number of devices in Intune quickly and efficiently, without having to manually configure each device individually.

1. Pre-requisites

Before you can use the enrollment using group policy method in Microsoft Intune, there are a few prerequisites that you need to meet:

• You need to have an active Microsoft Intune subscription, and you need to be a Global administrator or an Intune administrator in your organization.

• Your devices need to be running Windows 10 version 1709 or later.

• Your devices need to be joined to your organization's Active Directory domain.

• Valid Intune License for enrolling user

• Verify auto-enrollment is activated

  

  Open 9.png

  

• Verify enrollment restriction

• Verify that Azure AD allows the logon user to enroll devices.

• Devices should be hybrid Azure AD joined. Follow link for Hybrid Join

  

  Open 1.png

  

• Windows 10 or 11 ADMX is installed to enable the group policy. See troubleshooting tips below for installation of ADMX.

• User Principal Names (UPNs) associated with the on-premises Active Directory Domain Services (AD DS) domain . See troubleshooting tips below for changing UPNs.

Configure auto-enrollment group policy

1. Open Group Policy Management from the start menu. Alternatively, type gpmc.msc in Run window on Domain Controller

   

   Open 2.png

   

2. Right-Click on Group Policy Object and Select NEW. Give it a name such as Microsoft Intune.

   

   Open 5.png

   

3. Right-Click on the newly created policy “Microsoft Intune” and select Edit.

4. Edit the new GPO that you created and go to Computer Configuration > Policies > Administrative Templates > Windows Components > MDM. Double click Enable Automatic MDM Enrollment Using Default Azure AD Credentials and click Apply and Ok.

   • Select Enable

   • Select User Credentials in Credential type.

     

     Open 4.png

     

5. Link this policy to the correct Organizational Unit in which your devices are located. Right click on the Domain and click on Link an Existing GPO and you will see your newly created GPO.

6. You can then filter the GPO to only apply to the Computers group.

   

   Open 3.png

   

7. Open Command Prompt on Windows 10 or 11 device which is domain joined with your on premise active directory (in turn hybrid joined with EntraID) and Run gpupdate /force to apply Group Policy.

8. Restart above machine.

Troubleshooting Tips

1. If you don't see “Enable Automatic MDM Enrollment Using Default Azure AD Credentials” in Step 5 then follow below steps.

   1. Download Windows ADMX templates from Microsoft site or from given drive location (Preferred to use setup available on drive).

   2. Double click on the .msi file to start the installation.

   3. Once the installation on ADMX is completed, go to the location where you just installed the Administrative Templates (default: C:\Program Files (x86)\Microsoft Group Policy\…\PolicyDefinitions)

      - Make sure the PolicyDefinations folder having MDM.admx and the MDM.adml files in it.

   4. Copy the .admx files + at least one or more language folders (based on what language your Domain Controller is) or Copy the PolicyDefinitions Folder.

      

      Open 6.png

      

   5. Paste them in \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (change ‘Website Domain Names, Online Stores & Hosting - Domain.com’ to your own domain name).

      

      Open 8.png

      

   6. Extra: You might have to create the folder PolicyDefinitions if it doesn’t already exist. If you already have a folder with .admx files in there, just copy the MDM.admx and the MDM.adml from the language folder and overwrite them with the existing ones.

   7. Now you should be able to see the setting in Step 4 of Configure Auto-enrollment Group Policy, Enable it.

2. Adding UPN suffixes and update users.

   1. Get your UPN Suffix from Azure Admin Center.

      

      Open 11.png

      

   2. On the AD DS domain controller, in the Server Manager choose Tools > Active Directory Domains and Trusts.

   3. In the Active Directory Domains and Trusts window, right-click Active Directory Domains and Trusts, and then choose Properties.

   4. On the UPN Suffixes tab, in the Alternative UPN Suffixes box, type your new UPN suffix from Step 1, and then choose Add > Apply. Choose OK.

      

      Open 12.png

      

   5. On the AD DS domain controller, in the Server Manager choose Tools > Active Directory Users and Computers. Select a user, right-click, and then choose Properties.

   6. On the Account tab, in the UPN suffix drop-down list, choose the new UPN suffix, and then choose OK.

      

      Open 13.png

      

   7. Complete these steps for every user.

   8. Use PowerShell commands to update all contoso.local suffixes to contoso.com.

How to deploy the MSI package to an enrolled device through Microsoft Intune.