How to make a synced W10 Hybrid Azure AD device Intune managedPosted on: September 20, 2019, by : Aad Lutgert
When you normally join a device to the Azure AD and automatic Windows enrollment has been configured. The device will be automatically enrolled in Intune at the moment the device will added to the Azure Active Directory. This will not happen when a device is being synced from the Active Directory to the AzureAD, then the status of MDM will be “NONE” as you can see in the screenshot. In this Post I will show how to enroll this device in Intune.
How to enroll Hybrid AD synced devices into Intune
1. Log into your Azure Tenant using https://portal.azure.com
2. First check if Automatic Windows Enrollment has been configured in Intune. Go to “Microsoft Intune -> Device Enrollment -> Windows Enrollment” and select “Automatic Enrollment”
3. Check if the MDM user scope have been configured and the URLs are set as default (if not select “Restore default MDM URLs”). Press Save if changes need to made.
4. Now we need to check if the device restrictions have been setup correctly. Go to “Microsoft Intune -> Device Enrollment -> Enrollment restrictions” and select “Device type restrictions”
5. Select “Properties” and check if “Windows (MDM)” is “allowed”
6. The final step is to enable MDM enrollment on the Windows 10 device. This can be done in three ways:
- AutoEnrollMDM – DWORD – 1
- UseAADCredentialType – DWORD – 1
- Local Policy
- Group Policy (first update Administrative Templates for used W10 version )
7. In this guide we will use the local policy. First start the Local Group Policy Editor with administrator rights. (search for gpedit.msc and run as administrator)
8. Go to Local Computer Policy -> Computer Configuration -> Administrative Templates -> Windows Components -> MDM and select “Enable automatic MDM enrollment using default Azure AD Credentials”
9. Enable the policy (Screenshot on the right – from W10 1903 an option has been added which credential type to use. Select “User Credential” to use.) and press “Apply”
10. In the background a task will be created to enroll the device.
11. After some time the status of the device will change from “MDM: None” to “MDM: Microsoft Intune”