Auto Enroll a Windows device using GPO

Automatically enroll Active Directory (AD) domain-joined Windows 10/11 devices into Microsoft Intune using Group Policy—no user interaction required. This guide covers prerequisites, configuration steps, and troubleshooting.

Key Requirements

✅ Supported OS: Windows 10/11 (domain-joined)
✅ MDM Service: Microsoft Intune configured
✅ AD Integration: Microsoft Entra ID (via Entra Connect)
✅ SCP Configuration: Service Connection Point (SCP) must be set up
❌ No Classic Agents: Devices shouldn’t be enrolled via legacy methods

Steps to Configure Auto-Enrollment

1. For Multiple Devices (Enterprise Setup)

  1. Create a GPO:
    • Navigate to:
      Computer Configuration > Administrative Templates > Windows Components > MDM
    • Enable “Enable automatic MDM enrollment using default Microsoft Entra credentials”.
  2. Assign to a Security Group:
    • Link the GPO to an AD security group containing target devices.
  3. Verify SCP & Replication:
    • Ensure SCP is published via Microsoft Entra Connect.
    • Sync ADMX templates to \\domain\SYSVOL\PolicyDefinitions.

2. For a Single PC (Testing Only)

  1. Open gpedit.msc (Local Group Policy Editor).
  2. Enable the same MDM auto-enrollment policy under:
    Administrative Templates > Windows Components > MDM
  3. Choose User Credential (default) or Device Credential (for specific scenarios).

Verification & Troubleshooting

✔ Check Enrollment Status:

  • Go to Settings > Accounts > Access work or school > Select account > Info.

✔ Task Scheduler:

  • Look for:
    Task Scheduler Library > Microsoft > Windows > EnterpriseMgmt
  • Last Run Result0x0 = Success; 0x80180026 = Blocked by policy.

✔ Common Errors:

  • “MENROLL_E_DEVICE_MANAGEMENT_BLOCKED”: Disable conflicting MDM policies.
  • Two-Factor Auth Prompt: Configure Conditional Access in Entra ID to bypass.

Pro Tips

🔹 Policy Precedence: Group Policy overrides MDM settings by default (adjustable in Win10 1803+).
🔹 Avoid Classic Agents: Use modern enrollment for hybrid-joined devices.
🔹 Logs: Check Task Scheduler History for detailed enrollment errors.

References : https://learn.microsoft.com/en-us/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy#configure-the-auto-enrollment-group-policy-for-a-single-pc

Troubleshooting : https://learn.microsoft.com/en-us/windows/client-management/mdm-diagnose-enrollment

A Blog : https://www.anoopcnair.com/windows-10-intune-enrollment-using-group-policy/

A Discussion : https://community.spiceworks.com/t/some-devices-not-auto-enrolling-into-intune/956968

Linkedin : https://www.linkedin.com/pulse/intune-unable-enroll-device-using-gpo-enrollment-method-agarwal-q55ae/

Related Posts

Leave a Reply

Your email address will not be published. Required fields are marked *