Windows 10 Auto-enrollment

AutoEnrollment

Since Windows 10 1709, it is possible to automatically enroll the computer on Azure Active Directory (AD). For this you can use using a group policy parameter.

Requirments for Autoenrollment

Autoenrollment requires meeting some prerequisites :

  • Computer running Windows 10 1709 or later
  • Mobile Device Management (MDM) service has configured
  • Active Directory is synchronised with Azure Active Directoy
  • ADMX for Windows 10 if your domain controllers runs on Windows Server 2012 R2.

synchronized Active Directory with Azure Active Directory

It is important to synchronize the Active Directory with the Azure Active Directory. You can use the links below links :

Configure Azure AD Connect

To activate the hybrid devices attached to Azure AD, it’s necessary to synchronize the computer objects of the devices that will become hybrid. The computer need to access to the Following URLs :

  • https://enterpriseregistration.windows.net
  • https://login.microsoftonline.com Autoriser
  • https://device.login.microsoftonline.com

ON the Azure AD Connect server, open configuration wizard of Azure AD Connect and click on Configure.

Configure Hybrid equipment with Azure AD

Select Configure device options and click on Next.

Select device option for configure hybridation

Click on Next in the Overview windows and enter the credential of Azure AD Global admin account.

Enter Credential

Select Configure Hybrid Azure AD Join and click on Next.

Configure Hybrid Azure AD Join

Select Windows 10 or later domain-joined devices and click on Next. Select the AD Forest and Authentification Service. Click on Add for enter Enterprise Admin Credential.

Enter credential for configure Hybrid Azure AD Join

Click on Configure to launch configuration.

Click on Configure to lauch configuration.It’s possible to check the configuration of the service connection point. The service connection point (SCP) object is used during registration to detect Azure AD client information. On the domain controller, run the PowerShell command

  • $scp = New-Object System.DirectoryServices.DirectoryEntry;
  • $scp.Path = “LDAP://CN=62a0ff2e-97b9-4513-943f-0d221bd30080,CN=Device Registration Configuration,CN=Services,CN=Configuration,DC=Formation,DC=local”;
  • $scp.Keywords;

Replace DC=Formation, DC=Local with your domain name. If a result is displayed, the SCP is correctly configured. If not, it is necessary to prepare the Active Directory forest by extending the Schema.

Hybrid equipment with Azure AD

Configure Group Policy

It’s now important to configure windows 10 computer with group policy. From the Domain Controller, open Group Policy Management console and create new group policy.

Create group policy

From the Group Policy Editor expand Computer configuration / Policies / Administrative Templates / Windows Components / Device Registration. Double click on Register domain joined computers as device and Enabled the parameter.

Configure Group Policy

Expand Computer configuration / Policies / Administrative Templates / Windows Components / MDM. Double click on Enable automatic MDM enrollment using default Azure AD credentials and Enabled the parameter and choose User Credential.

Configure MDM Parameter

Configure MDM Parameter

Link the group policy to the desired container (ou or root of the domain).

Configure Group Policy

Apply the group policy on computer. When it’s been applied, the ldap attributes (userCertificate) is configured. This attributes must be configued for synchronize computer account.

LDAP attributes has been configured

It is now possible to synchronize computer accounts. For limiting filtering, I use a AD groups. I add on this group the AD computer account.

Computer account has added

Start synchronization after add account on the group. The computer is now present on Azure AD.

Computer account has added

Configure Application on Azure AD

On the Azure AD portal (aad.portal.azure.com), click on Azure Active Directory then on Mobility (MDM and MAM). Click on Microsoft Intune in the central panel.

Configure Microsoft Intune

Configure MDM User Scope. If you want apply parameter to all user, select All. if you need to apply to some user, select Some and choose Azure Active Directory Groups. This group can be synchronised to Active Directory or can be created directly to Azure Active Directory. Click on Save to validate the choice.

Configure Microsoft Intune

Verify hybrid AD Join on computer

On Windows 10 computer, open a session with a user account. This account must be have an Intune licence. The computer has automatically enrolled on Intune. You can verify on the computer if enrollment works fine.

Accounts on Windows Settings

Select Access Work and school on the menu. The connection at the domain Active Directory appear. Click on Info.

Select Info button

Information about connection and sync status are present on the Windows.

Information about the connection and sync status

The computer has been present on Intune console.

Verify auto-enrollment

Event viewer can permit to verify if auto-enrollment is been applied. Open event viewer and expand Appliations and Servces log, Microsoft, Windows, DeviceManagement-Enterprise-Diagnostics-Provider and Admin.

Access to the eventlog Device-Management

If the auto-enrollment worked, event with ID 75 is present.

Event id 75, auto-enrollment work fine Windows 10 Auto-enrollment

Troubleshooting

This section contains some errors I may have had when I implemented auto-enrollment.

Error Auto MDM Enroll : Credential (0x0), Failed (the system try to dekete the JOIN of a drive that is not joined). If you have this error, Azure AD hybrid is not configured or computer account not synchronised. Refer you to my article on the subject (the link is present earlier in this article).

Error Auto MDM Enroll : Credential (0x0), Failed (Unknow Win32 Error Code 0x8018002b). MAM User Scope has activated. Select None and try auto-enrollment.

Configure Scope MAM Windows 10 Auto-enrollment

Leave a comment

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.