In this post we’ll configure Automatic Intune enrollment for on-premises AD joined Windows 10 device.

Existing setup done:

  1. Two Local users created
  2. Azure AD Connect configured
  3. Seamless Single Sign-On (IE) configured
  4. Seamless Single Sign-On (Firefox) configured
  5. Hybrid Azure AD Join configured

Existing setup:

  1. SkyDC: Machine with ADDS, DNS, DHCP role
  2. SkyCON: Machine where we will install Azure AD Connect
  3. SkyCM: Machine with Configuration Manager Current Branch
  4. SkyTEN1: Domain Joined Windows 10 machine
  5. SkyTEN2: Domain Joined Windows 10 machine
  6. SkyTEN3i: Domain Joined Windows 10 machine (to be Intune Managed)
  7. SkyTEN4i: Domain Joined Windows 10 machine (to be Intune Managed)

Login to Azure Portal. Search for Intune in All services. Bookmark Intune.

Navigate to Intune -> Quick Start.

Check the Account details. The Account status should be Active and MDM Authority should be set to Microsoft Intune.

Navigate to Intune -> Device Enrollment -> Windows Enrollment -> CNAME Validation.

In CNAME Validation, enter your verified domain and click Test.

The result should come as success. If not then click on Learn more to go to the article which will help in setting up the correct CNAME record.

Create a group of devices which will be managed by Microsoft Intune. The devices should be Hybrid Azure AD Joined.

Open Active Directory Users and Computers. Right click Users -> New and click on Group.

Enter group name and click OK.

I have used Intune Enrollment User Based.

Open the Group properties and Navigate to Members tab.

Click on Add and add the devices in the group. Click OK when completed.

Create a Group Policy to configure Intune Enrollment.

Start Group Policy Management.

Right click your domain and click on Create a GPO in this domain, and Link it here….

Enter GPO Name and click OK. I have entered Intune Enrollment GPO.

Right click on the created GPO and click Edit.

Navigate to Computer Configuration -> Policies -> Administrative Templates -> Windows Components -> MDM.

Right click Enable automatic MDM enrollment using default Azure AD credentials and click Edit.

Select Enabled.

In Select Credential Type to Use, select User Credential and click OK.

Close the window.

Select the above created GPO. In Security Filtering, click Add.

Follow the wizard and add the above created group.

Navigate to Delegation tab and click on Advanced.

Select Authenticated Users and Uncheck Apply group policy.

Close the window.

Login to Azure portal. Navigate to Azure Active Directory -> Devices -> All Devices. You can see the entry.

Navigate to Intune -> Devices -> All Devices. You can see the entry.

To manage other Domain joined devices to Intune, add other devices in the above group.

Leave a comment

Your email address will not be published. Required fields are marked *