- 02 Apr 2025
- 6 Minutes to read
- Print
- DarkLight
Group Policy-Enrolling a device in Microsoft Intune
- Updated on 02 Apr 2025
- 6 Minutes to read
- Print
- DarkLight
Group Policy-Enrolling a device in Microsoft Intune
Enrollment using group policy method in Microsoft Intune is a way to automatically enroll Windows 10 or Windows 11 devices in Intune by using Group Policy. This method is useful when you want to enroll multiple devices in Intune without having to manually configure each device individually. When a device is joined to the domain and the GPO is applied, the device will automatically enroll in Intune .It is particularly useful for organizations that want to enroll a large number of devices in Intune quickly and efficiently, without having to manually configure each device individually.
1. Pre-requisites
Before you can use the enrollment using group policy method in Microsoft Intune, there are a few prerequisites that you need to meet:
You need to have an active Microsoft Intune subscription, and you need to be a Global administrator or an Intune administrator in your organization.
Your devices need to be running Windows 10 version 1709 or later.
Your devices need to be joined to your organization's Active Directory domain.
Valid Intune License for enrolling user
Verify auto-enrollment is activated
Verify enrollment restriction
Verify that Azure AD allows the logon user to enroll devices.
Devices should be hybrid Azure AD joined. Follow link for Hybrid Join
Windows 10 or 11 ADMX is installed to enable the group policy. See troubleshooting tips below for installation of ADMX.
User Principal Names (UPNs) associated with the on-premises Active Directory Domain Services (AD DS) domain . See troubleshooting tips below for changing UPNs.
Configure auto-enrollment group policy
Open Group Policy Management from the start menu. Alternatively, type gpmc.msc in Run window on Domain Controller
Right-Click on Group Policy Object and Select NEW. Give it a name such as Microsoft Intune.
Right-Click on the newly created policy “Microsoft Intune” and select Edit.
Edit the new GPO that you created and go to Computer Configuration > Policies > Administrative Templates > Windows Components > MDM. Double click Enable Automatic MDM Enrollment Using Default Azure AD Credentials and click Apply and Ok.
Select Enable
Select User Credentials in Credential type.
Link this policy to the correct Organizational Unit in which your devices are located. You can then filter the GPO to only apply to the Computers group.
Open Command Prompt on Windows 10 or 11 device which is domain joined with your on premise active directory(in turn hybrid joined with EntraID) and Run gpupdate /force to apply Group Policy .
Restart above machine.
Troubleshooting Tips
If you don't see “Enable Automatic MDM Enrollment Using Default Azure AD Credentials” in Step 5 then follow below steps.
Download Windows ADMX templates from Microsoft site.
Double click on the.msi file to start the installation.
Go to the location where you just installed the Administrative Templates (default: C:\Program Files (x86)\Microsoft Group Policy\…\PolicyDefinitions)
Copy the .admx files + at least one or more language folders (based on what language your Domain Controller is).
Paste them in \\domain.com\sysvol\domain.com\Policies\PolicyDefinitions (change ‘Website Domain Names, Online Stores & Hosting - Domain.com ’ to your own domain name).
You might have to create the folder PolicyDefinitions if it doesn’t already exist. If you already have a folder with .admx files in there, just copy the MDM.admx and the MDM.adml from the language folder and overwrite them with the existing ones.
Now you should be able to see the setting in Step 4 of Configure Auto-enrollment Group Policy, Enable it.
Adding UPN suffixes and update users.
Get your UPN Suffix from Azure Admin Center.
On the AD DS domain controller, in the Server Manager choose Tools > Active Directory Domains and Trusts.
In the Active Directory Domains and Trusts window, right-click Active Directory Domains and Trusts, and then choose Properties.
On the UPN Suffixes tab, in the Alternative UPN Suffixes box, type your new UPN suffix from Step 1, and then choose Add > Apply. Choose OK.
On the AD DS domain controller, in the Server Manager choose Tools > Active Directory Users and Computers. Select a user, right-click, and then choose Properties.
On the Account tab, in the UPN suffix drop-down list, choose the new UPN suffix, and then choose OK.
Complete these steps for every user.
Use PowerShell commands to update all contoso.local suffixes to contoso.com.
$LocalUsers = Get-ADUser -Filter "UserPrincipalName -like '*contoso.local'" -Properties userPrincipalName -ResultSetSize $null $LocalUsers | foreach {$newUpn = $_.UserPrincipalName.Replace("@contoso.local","@contoso.com"); $_ | Set-ADUser -UserPrincipalName $newUpn}