Fix Auto-Enrollment Issues: Troubleshooting Windows 10 Group Policy in Microsoft Intune
When implementing automatic MDM enrollment for hybrid joined Windows 10 devices using Group Policy and Microsoft Intune, administrators may encounter various issues preventing devices from successfully enrolling. This process relies on a specific configuration synergy between Active Directory Group Policy Objects (GPO), Azure Active Directory (now Microsoft Entra ID), and the Intune service itself. Identifying the root cause requires a systematic approach, checking configurations across these different platforms.
Understanding the typical flow is crucial: A hybrid joined Windows 10 device receives a specific GPO instructing it to automatically enroll into MDM using its existing Microsoft Entra credentials. The device then contacts the Microsoft Entra ID service to discover the MDM enrollment endpoint and proceeds to initiate the enrollment process with Intune. Failures can occur at any step, from the GPO not applying correctly to issues with the Microsoft Entra configuration or the Intune service itself. Let’s explore the key areas to investigate when troubleshooting.
Verifying Core Requirements¶
Several fundamental prerequisites must be met for automatic enrollment via Group Policy to function correctly. Overlooking these basic checks is a common pitfall in troubleshooting. Ensuring these foundational elements are in place provides a solid starting point before delving into more complex configuration details.
User Licensing¶
Each user attempting to enroll a device via automatic enrollment must possess a valid Intune license. Without an assigned license, the Intune service will refuse the enrollment request, even if all other configurations are correct. Licensing is a fundamental aspect of Microsoft 365 and Intune service usage, so confirming this for the affected users is a mandatory first step.
Verify that the user attempting the enrollment has an appropriate license SKU assigned that includes Microsoft Intune (e.g., Microsoft 365 Business Premium, Microsoft 365 E3/E5, Enterprise Mobility + Security E3/E5). This assignment is typically managed within the Microsoft 365 Admin Center or the Microsoft Entra admin center. Confirming the license assignment directly to the user object is essential for valid service consumption.
Auto-Enrollment Configuration in Microsoft Entra ID¶
The core setting enabling automatic MDM enrollment is configured within the Microsoft Entra admin center under the Mobility (MDM and MAM) section. This area dictates how Microsoft Entra ID directs Windows devices to an MDM provider like Intune. Incorrect settings here are a very frequent cause of enrollment failures.
Navigate to Identity > Devices > Overview > Mobility (MDM and MAM). Here, you will typically find ‘Microsoft Intune’ and potentially ‘Microsoft Intune Enrollment’ listed. It is paramount to configure the settings under Microsoft Intune. Ensure the following within the Microsoft Intune settings:
- MDM user scope: This setting determines which users’ devices will attempt MDM enrollment automatically. For widespread deployment, set this to All. If you are targeting a specific group of users, ensure it is set to Some and that the affected users are members of the specified Microsoft Entra group.
- MAM User scope: This setting relates to Mobile Application Management and should generally be set to None for Windows auto-enrollment scenarios. If MAM User scope is set to All or Some, it takes precedence over the MDM scope for devices attempting MDM enrollment, which can prevent the MDM enrollment from occurring successfully. Confirming this is ‘None’ unless specifically required otherwise for a different scenario is vital.
- MDM discovery URL: This URL is where devices query Microsoft Entra ID to find the enrollment endpoint for their MDM provider. For Microsoft Intune, this should be set to
https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc. Verify this URL is correctly specified without typos.
Device Operating System Version¶
Automatic MDM enrollment capabilities in Windows were significantly enhanced starting with Windows 10, version 1709. This specific version and all subsequent versions (including Windows 11) contain the necessary MDM client components and features required to support this type of enrollment via Group Policy and Microsoft Entra ID. Devices running earlier versions of Windows 10 or older operating systems simply lack the built-in functionality.
Ensure that all target devices are running Windows 10, version 1709, or a newer build. You can quickly check the Windows version by typing winver in the Run dialog or Command Prompt on the device. Deploying devices with an up-to-date operating system is a fundamental requirement for leveraging modern management features like Intune auto-enrollment.
Device Hybrid Join Status¶
The specific auto-enrollment method triggered by the “Enable automatic MDM enrollment using default Microsoft Entra credentials” Group Policy setting is designed for devices that are Microsoft Entra hybrid joined. This means the device must be joined to a local Active Directory domain and registered with Microsoft Entra ID. This dual join state is crucial because the GPO leverages the existing Active Directory infrastructure and relies on the device having a valid identity in Microsoft Entra ID to perform the enrollment using its credentials.
To verify the device’s join state, open a command prompt on the affected machine and run dsregcmd /status. Examine the output carefully. For a correctly hybrid-joined device, you should see the following under the ‘Device State’ section:
AzureAdJoined: YES
DomainJoined: YES
Additionally, under the ‘SSO State’ section, look for:
AzureAdPrt: YES
The AzureAdPrt: YES indicates that the device has a valid Primary Refresh Token (PRT) issued by Microsoft Entra ID, which is necessary for seamless single sign-on (SSO) and also used during the auto-enrollment process to authenticate with the MDM service. If any of these states are not as expected, the device is not properly hybrid joined, and the auto-enrollment triggered by this specific GPO will fail. Troubleshooting hybrid join issues itself is a separate, often complex task involving Active Directory, Microsoft Entra Connect, and Group Policy.
Group Policy Application Verification¶
The “Enable automatic MDM enrollment using default Microsoft Entra credentials” Group Policy setting is the trigger for this entire process on the client side. If this policy isn’t correctly applied to the target devices, the enrollment process will never even begin. Verifying GPO application is a critical troubleshooting step after confirming the core requirements.
The relevant GPO setting is located at:
Computer Configuration > Policies > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Microsoft Entra credentials.
This policy needs to be configured to either Enabled (for all users) or Enabled, Select Credential Type: User Credential (which uses the signed-in user’s credentials). The Group Policy Object containing this setting must be linked to an Organizational Unit (OU) containing the computer objects of the devices you wish to enroll, and standard GPO processing rules (inheritance, security filtering, enforcement) must allow it to apply successfully to these computers.
Checking GPO Application on the Client¶
To verify if the GPO has reached the client device, you can use the gpresult command. Open a Command Prompt as administrator and run gpresult /r to see applied user policies and gpresult /scope computer /r to see applied computer policies. Look for the name of the GPO object containing the MDM auto-enrollment setting in the list of applied GPOs.
Alternatively, you can check the Windows Registry on the client device. The GPO setting corresponds to a registry value. For the setting “Enable automatic MDM enrollment using default Microsoft Entra credentials”, when enabled, it sets a value under:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
Look for a value named AutoEnrollMDM. If the GPO is applied and enabled, this value should exist. Checking the registry provides a definitive answer on whether the setting has been pushed to the machine.
If the GPO is not applying, troubleshoot standard Group Policy issues: ensure the device is in the correct OU, check security filtering, verify WMI filters if used, and confirm AD replication status. Running gpupdate /force on the client and rebooting can also help ensure the latest policies are fetched.
Potential Conflicts and Other Considerations¶
Several other factors can interfere with the auto-enrollment process, even if the primary configurations appear correct. These often relate to legacy management systems or subtle configuration mismatches.
Classic PC Agent Interference¶
In some environments, devices might have previously been managed by the older Microsoft System Center Operations Manager (SCOM) Intune connector or the standalone Intune PC Agent. This legacy agent management method is incompatible with modern MDM management via the built-in Windows MDM client. If the classic PC agent is installed on a device, it can block or interfere with the MDM auto-enrollment attempt.
Verify that the Intune PC Agent is not installed on the problematic devices. You can typically find this in the list of installed programs in the Control Panel or Settings app. If found, the agent should be uninstalled before attempting MDM auto-enrollment. This is a crucial step, especially in environments migrating from older Intune deployments.
Multiple MDM Authorities¶
While less common now, in transition scenarios, an organization might have configured multiple MDM authorities or has remnants of a previous MDM configuration. Ensure that Microsoft Intune is the sole configured MDM authority for the organization. This is typically verified in the Intune portal (or Microsoft Endpoint Manager admin center), though the primary auto-enrollment configuration lives in Microsoft Entra ID as mentioned earlier.
The presence of both ‘Microsoft Intune’ and ‘Microsoft Intune Enrollment’ entries under Microsoft Entra ID’s Mobility (MDM and MAM) blade was noted earlier. It’s worth reiterating the importance of configuring the settings under Microsoft Intune. The ‘Microsoft Intune Enrollment’ entry is often related to older configurations or specific partner scenarios and should not be configured for standard auto-enrollment using the GPO method. If both exist and settings are duplicated or conflicting, remove the settings from ‘Microsoft Intune Enrollment’ and ensure they are correct under ‘Microsoft Intune’.
Event Viewer Logs¶
For deeper troubleshooting, the Windows Event Viewer is an invaluable resource. Several logs capture information about device registration and MDM activity. Key logs to check include:
- Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin: This log provides detailed events related to MDM enrollment, configuration syncs, and policy application. Look for errors or warnings around the time of expected auto-enrollment.
- Applications and Services Logs > Microsoft > Windows > User Device Registration > Admin: This log contains information about the device’s registration status with Microsoft Entra ID (AzureAdJoined, DomainJoined, PRT status). Issues here can indicate underlying hybrid join problems preventing the process from starting.
Look for specific Event IDs related to enrollment attempts, failures, or policy processing errors in these logs. The event details often contain error codes or descriptions that can point directly to the cause of the failure.
Timing and Triggers¶
Understand that the GPO-triggered auto-enrollment process doesn’t happen instantaneously. The GPO must apply, and then the MDM enrollment task is typically triggered at user logon or via a scheduled task (Microsoft\Windows\EnterpriseMgmt in Task Scheduler). A device reboot or a user signing out and back in after the GPO applies is often necessary for the enrollment attempt to initiate.
Consider timing issues. If you’ve just configured the GPO, ensure it has had sufficient time to replicate across domain controllers and for clients to refresh their policy settings. Network connectivity to Microsoft Entra ID and Intune endpoints is also required during the process.
Summary of Key Checks¶
To summarize the troubleshooting process for Windows 10 auto-enrollment issues triggered by Group Policy:
| Area | Key Checks | Tool/Location |
|---|---|---|
| Licensing | User has valid Intune license assigned. | Microsoft 365 Admin Center, Microsoft Entra admin center |
| Microsoft Entra Config | Auto-enrollment enabled under Microsoft Intune in Mobility (MDM and MAM). |
Microsoft Entra admin center |
MDM user scope set to All or Some (with correct group). |
Microsoft Entra admin center | |
MAM user scope set to None. |
Microsoft Entra admin center | |
MDM discovery URL is https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc. |
Microsoft Entra admin center | |
| Device OS | Device is running Windows 10, version 1709 or later. | winver on the device |
| Hybrid Join Status | Device is AzureAdJoined: YES, DomainJoined: YES, AzureAdPrt: YES. | dsregcmd /status on the device |
| Group Policy | “Enable automatic MDM enrollment using default Microsoft Entra credentials” GPO applied and Enabled/Configured for User Credential. | gpresult /scope computer /r on the device, Registry (HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM) |
| Conflicts | Classic Intune PC Agent is NOT installed. | Programs and Features (Add/Remove Programs) on the device |
Microsoft Intune is configured in Mobility, not Microsoft Intune Enrollment. |
Microsoft Entra admin center | |
| Logs | Check DeviceManagement-Enterprise-Diagnostics-Provider and User Device Registration Admin logs for errors. | Event Viewer on the device |
Understanding the Flow (Conceptual)¶
The process can be visualized as a sequence of events:
- GPO Application: The hybrid joined Windows 10+ device receives and applies the “Enable automatic MDM enrollment using default Microsoft Entra credentials” GPO from Active Directory.
- Task Trigger: Based on the GPO application (often at user logon or via a scheduled task), the device’s MDM client is instructed to attempt enrollment.
- Microsoft Entra Discovery: The MDM client contacts the Microsoft Entra ID discovery URL (
https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc) using the signed-in user’s Microsoft Entra credentials (via the PRT). - MDM Endpoint Redirection: Microsoft Entra ID, based on the Mobility (MDM and MAM) configuration for the user/device, confirms that Intune is the MDM provider and provides the Intune enrollment endpoint URL.
- Intune Enrollment: The device client connects to the Intune enrollment endpoint and attempts to enroll.
- Intune Verification: Intune verifies the user’s license and that the enrollment request is valid based on the configuration (e.g., allowed device types).
- Success or Failure: If all checks pass, Intune enrolls the device. If any check fails (license, configuration, credentials, etc.), the enrollment fails, and an error is typically logged in the Event Viewer.
mermaid
graph TD
A[Hybrid Joined Windows 10+ Device] --> B{GPO Applied?};
B -- Yes --> C[MDM Enrollment Task Triggered];
C --> D{Contact Microsoft Entra ID Discovery URL};
D -- Using User PRT --> E[Microsoft Entra ID];
E --> F{Check Mobility Config};
F -- MDM Scope Valid? --> G[Provide Intune Enrollment URL];
G --> H{Contact Intune Enrollment Endpoint};
H -- User License Valid? --> I[Intune Service];
I -- Enrollment Config Valid? --> J{Enroll Device};
J -- Success --> K[Device Enrolled in Intune];
J -- Failure --> L[Log Error in Event Viewer];
F -- MDM Scope Invalid --> L;
H -- License Invalid --> L;
Troubleshooting involves identifying which step in this flow is failing by checking the prerequisites and logs at each stage.
By systematically working through these checks, from licensing and Microsoft Entra configuration to device status, GPO application, and potential conflicts, administrators can effectively diagnose and resolve most auto-enrollment issues for Windows 10/11 hybrid joined devices leveraging Group Policy. Remember to check Event Viewer logs for specific error details when the basic checks don’t reveal the problem immediately.
Have you encountered other specific scenarios or error messages when troubleshooting Windows 10 auto-enrollment via GPO and Intune? Share your experiences and solutions in the comments below!
Post a Comment