We need to talk about auto MDM enrollment for devices already Azure Ad joined

Last Updated on February 28, 2023 by rudyooms

This blog will show you how you could make sure, your existing Azure Ad Joined devices (Devices that are not yet enrolled into MDM / Intune) are going to be automatically enrolled into Intune.

I will divide this blog into multiple parts

  1. The issue
  2. Solving it
  3. The Results
  4. Speeding up the Enrollment
  5. Troubleshooting the Enrollment

1. The Issue

A lot of customers will start their cloud journey by making use of Azure Ad as their Identity Provider. Most of the time, Intune wasn’t yet part of that journey. But what if you want to make sure your devices are being managed and the devices are already enrolled into azure but not into Intune?

Today I spend some time enrolling existing Azure Ad joined devices into Intune. These devices were Azure Ad joined butt without MDM/Intune enabled or configured.

This company started off with only Microsoft 365 Business standard licenses. We all know that this license type is missing the possibility to enroll the devices into Intune.

2. Solving it

When you want to enroll your existing Azure Ad joined device into Intune, there are multiple options available to make sure the device will be enrolled into MDM/Intune. Of course, when enrolling an existing Azure Ad Joined device into Intune there is 1 major requirement. You will need to have the right privileges (local administrator) to perform that operation! Otherwise, you will end up with some nice errors

If the permissions aren’t going to be an issue we still need to check out some other settings. To make sure users could enroll their device we need to configure the MDM scope in Intune. As shown below we made sure only users with a proper license (Business Premium) could enroll their device into MDM.

Please note: Before enrolling the device, also make sure there are no enrollment restrictions(Block Personal Devices) configured!

If we have the prerequisites configured we could start enrolling the device into MDM/Intune. To do so we have multiple options at our disposal.

Option 1: Group Policy:  

You can open the group policy object editor and browse to

Computer Configuration > Administrative Templates > Windows Components > MDM.

And configure this setting like the picture below:

*Enable: “Automatic MDM enrollment using default Azure credentials

*Credential Type to use: User credentials

Make sure that after you configured this settings you perform a gpupdate on the device

Option 2. Registry:

Instead of changing a GPO setting, we could also change the corresponding registry setting ourselves. So just import this reg file with the required enrollment information in it.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]
"AutoEnrollMDM"=dword:00000001
"UseAADCredentialType"=dword:00000001

It does the same as the GPO as a GPO is nothing more than a bunch of registry changes… 🙂 .. so again please make sure that you perform a gpupdate on the device after configuring this registry key

Option 3. PowerShell

And of course, you could also just deploy this PowerShell script to your devices to make sure the device will start enrolling into MDM/Intune/Endpoint Manager

$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM"
New-Item -Path $registryPath

$Name = "AutoEnrollMDM"
$Name2 = "UseAADCredentialType"
$value = "1"

new-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
new-ItemProperty -Path $registryPath -Name $name2 -Value $value -PropertyType DWORD -Force | Out-Null
gpupdate /force

3. Results:

When you applied one of these options I described above, you will notice a new Task will be created in the task scheduler. A new nice Category: EnterpriseMgmt will be created with a task named: “schedule created by enrollment client for automatically enrolling in MDM from AAD” in it. This task runs every 5 minutes for a duration of 1 day and will try to run C:\Windows\system32\deviceenroller.exe with these arguments /c /AutoEnrollMDM

Give it some time because sometimes it could really take long before the device will be enrolled into Intune successfully. In the meantime, you could notice the error Auto MDM Enroll: Failed 0x8018002b (event 76) popping up in the DeviceManagement-Enterprise-Diagnostic event log.

Sometimes it could take over more than a few hours, also putting the device to sleep or logging out the user will keep you waiting. After some time of waiting you will notice event 75 with the message that Auto MDM Enroll: Succeeded

4. Speeding up the Enrollment

When you don’t want to wait until you are an old person, and you want to speed it up.

The old man from Up was dead all along according to this depressing fan  theory

Please enforce enrollment by running the DeviceEnroller command in the System context (PSEXEC).(with the use of the Sysinternal tools)

As shown below, I am also making sure the MdmENrollmentUrl is configured before we start the enrollment!

$key = 'SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\*'
$keyinfo = Get-Item "HKLM:\$key"
$url = $keyinfo.name
$url = $url.Split("\")[-1]
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\$url"

New-ItemProperty -LiteralPath $path -Name 'MdmEnrollmentUrl' -Value 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path  -Name 'MdmTermsOfUseUrl' -Value 'https://portal.manage.microsoft.com/TermsofUse.aspx' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmComplianceUrl' -Value 'https://portal.manage.microsoft.com/?portalAction=Compliance' -PropertyType String -Force -ea SilentlyContinue;

C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM

If you don’t execute this command in the system context you will notice a nice error mentioning: “Auto MDM ENroll: Device Credential (0x0), Failed (Access is denied). So please use PSEXEC to speed things up!

For the people who don’t believe that this process will only take a few seconds, here you go

5. Troubleshooting the Enrollment

I removed this part from this blog because it was becoming too large and while becoming too large it was overshadowing the main part of the blog. Please visit this blog if you are dealing with Intune Enrollment Errors

Conclusion:

When your devices are already enrolled in Azure Ad, it doesn’t mean you will need to reinstall the devices to make sure those devices are enrolled into Intune/MDM. Sometimes enrolling a device into Intune sounds easier than it is… hopefully the troubleshooting part showed you how to deal with those kinds of situations!

Please Note: Wiping the device and enrolling it with Autopilot is the path you will need to take… but sometimes that path isn’t always available!

Two Paths GIFs - Get the best GIF on GIPHY

18 thoughts on “We need to talk about auto MDM enrollment for devices already Azure Ad joined

  1. Hi,
    thanks for your tutorial!
    Do you mean Azure AD joined or registered?
    https://media-exp1.licdn.com/dms/image/C5612AQE5lJbTDgF-Xw/article-inline_image-shrink_1000_1488/0?e=1609372800&v=beta&t=FfHYRZ9me0btNv9OnRT_1HJ4bCXb8a5G9ojexf9jLqg

    best regards
    Manuel

  2. how long does it take for the scheduled task to show up? How long on avg before it enrolls with Azure AD? Been waiting 4hrs and nothing on ether front. Running version 20H2

    1. Normally, when you configure this setting your already azure ad joined device will register itself in Intune. This setting will not join the device to azure.

  3. Thank you! I couldn’t find any mention of this on the setup or troubleshooting pages, unless I’d glazed over it.

    As soon as I set this GPO and triggered the scheduled task, the devices checked in to Intune as ‘Co-managed’. Also gave them a reboot to speed up the client, rather than waiting 240 minutes for the retry.

  4. On a computer that is currently Azure AD Joined if you put in place the registry key in this location: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
    The device will never create the scheduled task. As soon as I made the changed via Local Group Policy Editor the scheduled task gets made as soon as I run GPUpdate. Without the local GPEDIT not even the “EnterpriseMgmt” folder within scheduled task gets generated.

    Any thoughts on how to get around this so the change can be made with just a regedit? It would be a lifesaver for automating this,

    1. Replying to myself here. I may have found a PowerShell script to do this. The scheduled task has to be made. You can’t just flip the registry keys. I’ve not tested yet but here is a potential solution: https://timmyit.com/2018/12/17/mdm-join-an-already-azure-ad-joined-windows-10-pcs-to-intune-with-a-provisioning-package/

      1. What happens when you use C:\Windows\System32\deviceenroller.exe /c /AutoEnrollMDM from a system shell(psexec)

  5. Hey Rudy
    If users enrol as local admin… Will they keep local admin on the enrolled device?
    If so that seems like a big no no :o)
    Regards from Denmark

    1. Depends on what”you” configured in Intune 🙂 , as you are enrolling a device into a mdm… so I assume you have your configuration profiles in place to make sure the user isn’t going to be an admin right?

  6. I end up with error “Auto MDM Enroll: Device Credential (0x0), Failed (Unknown Win32 Error code: 0x80180026)”
    Any idea ?
    Using psexec -i -s powershell.exe

  7. I had an issue with your powershell, for some reason the JoinInfo and TennantInfo in the registry wasn’t there. I think I didn’t wait long enough but I’m sure what actually populates that info.

  8. Is there any way to automatically enroll a not Azure Ad joined device to MDM only with a username/password combination? E.g., to run some scripts with an embedded username/password and MDM server enrollment URL.

  9. Rudy! You’re an awesome bro! I used your powershell script but the scheduled task never scheduled. I still successfully enrolled my AzureAD only clients in Intune within seconds using your Psexec method. Let’s go have a beer sometime on me 🙂

  10. In many PCs don’t have enrollment task.
    After Option 3. PowerShell had error: “Reg key alredy exist.”
    Then gpupdate /force – Windows failed to apply the MDM Policy settings.
    How can fix this?

Leave a Reply

Your email address will not be published.

1  +  2  =