MDM Enroll

Automatically MDM Enroll Windows 10 devices using Group Policy

In this topic we’ll be setting up Windows 10 1709 devices to automatically register with Azure AD and auto-MDM enroll to Microsoft Intune. I want to share my own experience migrating from Microsoft Intune Enrolled devices using the PC Client Software (Agent) to re-enrolling these devices using the MDM channel. This way we can facilitate our move/migration to cloud one step at a time

Current situation

  • On-premise AD
  • Devices are domain joined.
  • Devices are managed by Microsoft Intune as computers using the PC Client Software
  • Group Policies are deployed
  • ADFS deployed (Federated)

New Situation

  • On-premise AD
  • Devices are domain joined.
  • Devices are retired/removed from the old Intune portal
  • Devices are automatically Azure AD registered
  • Devices are auto-MDM enrolled and managed by Intune using the MDM channel (as mobile devices)
  • Group Policies are deployed
  • ADFS deployed (Federated)

Prerequisites

  • Active Directory joined devices running Windows 10, version 1709
  • Functional MDM Service
  • Active Directory integrated with Azure AD
  • Devices are Azure AD registered

Step 1: Registering devices with Azure Active Directory

One of the requirements to make this all work, is that devices are registered with Azure Active Directory. We have an on-premises Active Directory environment and want to join our domain-joined devices to Azure AD. This can be accomplished by configuring Hybrid Azure AD joined devices.  Microsoft already has a written an article about this so I won’t go into details. Read the documentation and make sure your devices register with Azure AD.

Verify joined devices:

You can check successful joined devices using dsregcmd.exe. On the test device run dsregcmd /status from the command line.

check successful joined devices using dsregcmd.exe

The AzureAdJoined value should be YES. Further below you will also see that the value for DomainJoined is YES.

AzureAdJoined : YES
EnterpriseJoined : NO
-------------//-------------
DomainJoined : YES
DomainName : yourdomainname

This means the device is Hybrid Azure AD Joined. You can also verify this in the Azure portal;

Navigate to >Azure>Azure Active Directory>Devices>All devices. Search for your device name

Navigate to >Azure>Azure Active Directory>Devices>All devices

Good to know before you continue

Remember that in this scenario the devices are managed by Microsoft Intune and enrolled using the Intune Client Software.  While registering the devices with Azure AD will work, before continuing, you will have to manually retire/remove the devices from the old Intune portal before moving on to the next step. The removal process can take a long time (even up to 12 hours) so be patient. If you do continue like I did, the devices will not MDM enroll until the retire/remove task completes.

See the task scheduler as described here. The Last Run Result will show the error code 0x80180026 “Mobile Device Management (MDM) was blocked, possibly by Group Policy or the SetManagedExternally function.” The SetManagedExternally Indicates to the MDM agent that the device is managed externally (old Intune Portal) and is not to be registered with an MDM service.

Step 2: Prepare for automatic MDM enrollment

Have a look at the prerequisites above and when all requirements are met continue on. With Windows 10 1709 you can use a Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain joined devices. When the auto-enrollment Group Policy is enabled, a scheduled task is created that initiates the auto-MDM enrollment. You can test this with a single device using local policies but I recommend you continue with the Group Policy Object in your AD.

  1. You can find the GPO at: Computer Configuration>Policies>Administrative Templates>Windows Components>MDM;
  2. Open the Auto MDM Enrollment with AAD Token setting, select Enabled and click OK;
  3. Don’t forget to link the GPO to the correct OU and set the Security Filtering to a security group with devices you want to auto-MDM enroll.

Note:

If you do not see the policy you’ll most likely don’t have the ADMX installed for Windows 10 1709. I’m assuming you know how to install them so go ahead and do so. You can find the ADMX here.

Group Policy to trigger auto-MDM enrollment

When your device is retired/removed from the old Intune portal, the scheduled task will complete and your device will automatically enroll with MDM.

Verify auto-MDM enrollment

There are a few locations where you can verify a successful auto-MDM enrollment.

1. The first place to look for is Settings>Accounts>Access work or school.

When a device is Domain joined it will show the device is connected to your AD domain and only the Disconnect button;

Domain joined

When a device is Azure AD joined it will show the device is connected to your Azure AD and the Info & Disconnect buttons;

auto-MDM enrolled Azure AD joined

Hybrid Azure AD joined, registered with Azure AD and auto MDM-enrolled will show the device is connected to your AD domain and the Info & Disconnect buttons;

auto-MDM enrolled Hybrid Azure AD joined

2. The second one is the Task Scheduler. Check the location for device management tasks at \Microsoft\ Windows\EnterpriseMgmt. The schedule created by the GPO should be deleted after a successful auto-MDM enrollment and a folder with a GUID should be there.

Schedule created by enrollment client for automatically enrolling in MDM from AAD Properties

3. The Eventlog should show an Event ID:75 Auto MDM Enroll: Succeeded. Look for the event at Applications and Services Logs/Microsoft/Windows/DeviceManagement-Enterprise-Diagnostics-Provider/Admin

Event ID:75 Auto MDM Enroll: Succeeded

Buggs and inconsistencies auto-MDM enrolled devices

Although everything looks just fine, Diving a little deeper it looks a little buggy and shows some inconsistencies.

  1. Navigate to Azure Portal>Intune>Devices>All Devices and look for your auto-MDM enrolled device

auto-MDM enrolled device

The Manage By will show MDM/ConfigMgr and the Compliance will show See ConfigMgr

  1. Navigate to Azure Portal>Azure Active Directory>Devices>All Devices

 See ConfigMgr Intune Error

Here the Compliance will show Yes, stating the device is compliant.

  1. Open your old Intune portal at https://manage .microsoft.com and navigate to Groups>Devices and search for the device once more:

Devices in old Intune Portal

It will show the device is managed by Intune as a Mobile device, is Azure AD registered and compliant.

  1. Using Powershell and the Get-MsolDevice cmdlet:
# OS Version Numbers:
# 1709 = 10.0.16299
# 1703 = 10.0.15063
# 1607 = 10.0.14393
# 1511 = 10.0.10586
import-module MSOnline
connect-msolservice
Get-MsolDevice -all -ReturnRegisteredOwners | Where-Object { $_.DeviceOsVersion -like "*16299*"} | Format-Table DisplayName, DeviceTrustType, DeviceTrustLevel, DeviceOsType, DeviceOsVersion, DeviceID, RegisteredOwners, ApproximateLastLogonTimestamp -AutoSize

The filter your looking for is DeviceTrustType and DeviceTrustLevel.

Powershell DeviceTrustType and DeviceTrustLevel

MDM DeviceTrustType:

  • Domain joined devices have a value of Domain Joined
  • Azure AD joined devices have a value of Azure AD Joined

MDM DeviceTrustLevel:

  • Authenticated devices are Workplace Joined devices that are not enrolled in MDM.
  • Managed devices are registered devices that are enrolled with MDM
  • Compliant devices are registered devices that are not only enrolled with MDM but also compliant with the MDM policies .

It will show the device is Domain Joined and Compliant. Nothing more.

  1. Intune Graph API and PowerShell

I’ve downloaded the Powershell Intune sample scripts from GitHub to manage Intune using Graph API. There are many useful scripts here and one of them is the Check_lastSyncDateTime.ps1 script. I won’t go into details about using Intune Graph API. Peter van der Woude @ More than just ConfigMgr has a great blog about this topic.

manage Intune using Graph API

Just like the GUI the Intune Graph API shows the device is managed and the Compliance State is ConfigManager.

Auto-MDM Enroll Windows 10; Summary

In this blog we have taken the necessary steps to migrate from the old Intune portal where devices are managed as computers, to the new Azure Intune portal using the MDM channel where devices are managed as mobile devices. I’ve also explained the inconsistencies I’ve seen during the migration and consequently created a support request with Microsoft and will keep you informed about the outcome. If you do want to refer to the case you can use the support request number: 118012417521948

More about:

12
Leave a Reply

avatar
6 Comment threads
6 Thread replies
1 Followers
 
Most reacted comment
Hottest comment thread
7 Comment authors
Oktay SariDaniloAlexandros KanakarisLouis GephardtRadek Recent comment authors

This site uses Akismet to reduce spam. Learn how your comment data is processed.

  Subscribe  
newest oldest most voted
Notify of
Martin Ejvang
Guest
Martin Ejvang

Excellent guide! First time I get a complete explanation. Well done!

Huy Pham
Guest

Excellent article and guideline, very detail. Thank for your sharing.

I had configured successfully Hybrid Azure AD Joined Devices. Just note, the client slow update and if you have enable MFA when registering device, the system will prompt and user need verify it.

In addition, Group Policy need configured two policy as you explain above.

Best practice troubleshoot is read Event Log and using dsregcmd /status to analyze.

Radek
Guest
Radek

I use autoenrolment scenario for domain joined computer. Intune is set up to standalone. My device is joined to ad azure (connect type Hybrid Join) with success, device is enrolled to Intune but without user assigment. When I open company portal I see “This device hasn’t been set up for corparate use yet….” . When I try assign I see message that “device is already beging managed by an organization “. In Intune console I see this device and MDM is enabled. What can I do to assign user to device? My previous expirence is that after auto enrolment I… Read more »

Louis Gephardt
Guest

How does this work with shared devices? For example, would this scenario work in a computer lab where people are constantly logging in/out of the computer?

Alexandros Kanakaris
Guest
Alexandros Kanakaris

I am having an issue where SCCM detects my Hybrid AAD Joined machines as plain Azure AD Joined. Any help appreciated!

https://www.windows-noob.com/forums/topic/16319-sccm-1802-co-management-not-properly-detecting-hybrid-azuread-joined-devices-shows-as-azuread-joined/

Danilo
Guest
Danilo

Hi Oktay,
Can I set on Intune any policy to the user can log in only in a determinated computer and cannot log on in others computers of company?