Sunday, 28 February 2021

Intune automatic enrollment clarified

Automatic enrollment lets users enroll their Windows 10 devices in Intune. To enroll, users add their work account to their personally owned devices or join corporate-owned devices to Azure Active Directory. In the background, the device registers and joins Azure Active Directory and then automatically enrolls in Intune with no further intervention. The device is then managed with Intune.

There seems to be several ways to configure this and it can be a little confusing. The configurations are slightly different depending on the scenario.

Intune automatic enrollment allows you to ensure that any Windows 10 device (1709 and later) that is joined to Azure AD is also enrolled in Intune. When a device is joined to Azure AD, admins can control access to corporate resources based on conditional access policies applied to the device identity. Enrolling these devices in Intune also allows us to manage the deployment of applications and security policies.


The simplest way to configure Intune automatic enrollment is by navigating to Mobility (MDM and MAM) in Azure Active Directory. Change the MDM user scope to All or select Some and choose an AAD group. When an in-scope user joins the device to Azure AD, it will automatically be enrolled in Intune. However, this only applies to a cloud-only scenario (AADJ).


What about in a hybrid AAD join scenario when you configure Azure AD Connect to hybrid AD join the domain-joined Windows 10 devices? The cloud-based MDM user scope policy is not enough. Something else is required to configure the Intune auto-enrollment.

This comes in the form of a GPO. You'll need to enable this setting: 

Computer Configuration Policies > Administrative Templates > Windows Components > MDM > Enable Automatic MDM enrollment using default Azure AD credentials.

When SCCM (or Microsoft Endpoint Configuration Manager) is introduced in the mix, everything changes. The GPO will have no effect in this case. If the SCCM agent is detected running on a device, when the device becomes Azure AD joined, no attempt is made to enrol in Intune, even if Intune automatic enrolment is configured.

That’s when co-management is needed. When you configure co-management, you signal your intention to allow the device to be managed by SCCM and MDM (Intune) at the same time. When co-management is enabled, the SCCM client becomes aware that the device should also be enrolled in Intune. Then automatic Intune enrolment kicks in and enrols the device in Intune. Co-management essentially allows the device to be managed by SCCM and Intune at the same time.

It’s important to realize that devices can be managed by SCCM and MDM at the same time per workload. Take client applications and compliance policies as workload examples. Co-managements means that, on a co-managed device, the applications workload can be managed by SCCM while the compliance workload can be managed by Intune. It does not mean that the applications workload can be managed by SCCM and Intune.

I hope this helps. Until next time.....