Windows 10 Auto-enrollment
Requirements for Autoenrollment
Since Windows 10 1709, it is possible to automatically enroll the computer on Azure Active Directory (AD). You can use group policy parameter for auto-enrollment.
Autoenrollment requires meeting some prerequisites :
- Computer running Windows 10 1709 or later
- Mobile Device Management (MDM) service has configured
- Active Directory is synchronised with Azure Active Directoy
- ADMX for Windows 10 if your domain controllers runs on Windows Server 2012 R2.
Synchronized Active Directory with Azure Active Directory
It is important to synchronize the Active Directory with the Azure Active Directory. You can use the links below links :
Configure Azure AD Connect
To activate the hybrid devices attached to Azure AD, it’s necessary to synchronize the computer objects of the devices that will become hybrid. The computer need to access to the Following URLs :
- https://enterpriseregistration.windows.net
- https://login.microsoftonline.com Autoriser
- https://device.login.microsoftonline.com
ON the Azure AD Connect server, open configuration wizard of Azure AD Connect and click on Configure.
Select Configure device options and click on Next.
Click on Next in the Overview windows and enter the credential of Azure AD Global admin account.
Select Configure Hybrid Azure AD Join and click on Next.
Select Windows 10 or later domain-joined devices and click on Next. Select the AD Forest and Authentification Service. Click on Add for enter Enterprise Admin Credential.
Click on Configure to launch configuration.
Click on Configure to lauch configuration.It’s possible to check the configuration of the service connection point. The service connection point (SCP) object is used during registration to detect Azure AD client information. On the domain controller, run the PowerShell command
- $scp = New-Object System.DirectoryServices.DirectoryEntry;
- $scp.Path = “LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=Formation,DC=local”;
- $scp.Keywords;
Replace DC=Formation, DC=Local with your domain name. If a result is displayed, the SCP is correctly configured. If not, it is necessary to prepare the Active Directory forest by extending the Schema.
Configure Group Policy
It’s now important to configure windows 10 computer with group policy. From the Domain Controller, open Group Policy Management console and create new group policy.
From the Group Policy Editor expand Computer configuration / Policies / Administrative Templates / Windows Components / Device Registration. Double click on Register domain joined computers as device and Enabled the parameter.
Expand Computer configuration / Policies / Administrative Templates / Windows Components / MDM. Double click on Enable automatic MDM enrollment using default Azure AD credentials and Enabled the parameter and choose User Credential.
Link the group policy to the desired container (ou or root of the domain).
Apply the group policy on computer. When it’s been applied, the ldap attributes (userCertificate) is configured. This attributes must be configued for synchronize computer account.
It is now possible to synchronize computer accounts. For limiting filtering, I use a AD groups. I add on this group the AD computer account.
Start synchronization after add account on the group. The computer is now present on Azure AD.
Configure Application on Azure AD
On the Azure AD portal (aad.portal.azure.com), click on Azure Active Directory then on Mobility (MDM and MAM). Click on Microsoft Intune in the central panel.
Configure MDM User Scope. If you want apply parameter to all user, select All. if you need to apply to some user, select Some and choose Azure Active Directory Groups. This group can be synchronised to Active Directory or can be created directly to Azure Active Directory. Click on Save to validate the choice.
Verify hybrid AD Join on computer
On Windows 10 computer, open a session with a user account. This account must be have an Intune licence. The computer has automatically enrolled on Intune. You can verify on the computer if enrollment works fine.
Select Access Work and school on the menu. The connection at the domain Active Directory appear. Click on Info.
Information about connection and sync status are present on the Windows.
The computer has been present on Intune console.
Verify auto-enrollment
Event viewer can permit to verify if auto-enrollment is been applied. Open event viewer and expand Appliations and Servces log, Microsoft, Windows, DeviceManagement-Enterprise-Diagnostics-Provider and Admin.
If the auto-enrollment worked, event with ID 75 is present.
Troubleshooting
This section contains some errors I may have had when I implemented auto-enrollment.
Error Auto MDM Enroll : Credential (0x0), Failed (the system try to dekete the JOIN of a drive that is not joined). If you have this error, Azure AD hybrid is not configured or computer account not synchronised. Refer you to my article on the subject.
Error Auto MDM Enroll : Credential (0x0), Failed (Unknow Win32 Error Code 0x8018002b). MAM User Scope has activated. Select None and try auto-enrollment.