In some scenarios that might not sounds very interesting. Especially when looking at cloud only scenarios. However, this feature is very interesting in scenarios when organizations want to move to the cloud. Think about co-management.
AUTOENROLLMENT FAILS WITH UNKNOWN ERROR 0x80180001 & 0x8018002a
Co-management helps organizations to slowly move their device management capabilities to the cloud, by allowing multiple device management agents on a single device.
Microsoft just released co-management in Microsoft Intune and co-management is also available in the latest Technical Preview releases of Configuration Manager. So, imagine a scenario in which a currently Configuration Manager managed device can receive a Group Policy setting to also auto-enroll the device in Microsoft Intune.
Very helpful in the transition to the cloud. Well, actually more describing what will happen when configuring automatic enrollment. Starting with Windows 10, versiononce an organization has registered its Active Directory with Azure Active Directory, a Windows 10 device that is Active Directory domain joined is automatically Azure Active Directory registered.
This might change in future releases of Windows Simply install the latest ADMX-files for Windows 10, versionor later and perform at least the following 3 steps. The following 3 locations, are the easiest locations, on the local Windows 10 device, to look for a success of the auto-enrollment.
Besides that, a screenshot of a Windows 10 device in Azure Active Directory, is simply boring. For more information about automatically enrolling Windows 10 devices using GPO, please refer to this article of Enroll a Windows 10 device automatically using Group Policy. Did you log on to the device with a user with an Intune license assigned? Did you check the Event Viewer for more information? Regards, Peter. Do you know something about that? Thanks you.
Hi Remi, Depends on the scenario. This Group Policy configuration is focused on devices that are already domain joined on-premises. Hi Peter! I did the autojoin now with my domain joined W10 machine, but when I look at it in Intune, no user is associated to the machine.
Is this by design? Hi Marius, In my cases, the auto-registration registered the device with the logged on user. Hi ; Do you know how to management win10 devices without MDM? I have been testing with already domain joined machines. I have ADFS 3.
So my local domain devices are joined as Hybrid Joined. This was setup so we could bypass conditional access. Devices where not Auto Joined to Intune.Configure Pass-through Authentication. Deploy Company Portal. For this you can use using a group policy parameter. Autoenrollment requires meeting some prerequisites :. You can use the links below links :.
The computer need to access to the Following URLs :. Select Windows 10 or later domain-joined devices and click on Next. Click on Add for enter Enterprise Admin Credential. Click on Configure to lauch configuration. On the domain controller, run the PowerShell command. If a result is displayed, the SCP is correctly configured. If not, it is necessary to prepare the Active Directory forest by extending the Schema. Double click on Register domain joined computers as device and Enabled the parameter.HTMD-MI4️⃣5️⃣How to Control Intune MDM Enrollment using Windows 10 Versions📌Device Type Restriction
Link the group policy to the desired container ou or root of the domain. Apply the group policy on computer. This attributes must be configued for synchronize computer account. It is now possible to synchronize computer accounts. For limiting filtering, I use a AD groups. I add on this group the AD computer account. Start synchronization after add account on the group. The computer is now present on Azure AD. On the Azure AD portal aad. Click on Microsoft Intune in the central panel.
If you want apply parameter to all user, select All. This group can be synchronised to Active Directory or can be created directly to Azure Active Directory. Click on Save to validate the choice. On Windows 10 computer, open a session with a user account.
This account must be have an Intune licence. The computer has automatically enrolled on Intune. You can verify on the computer if enrollment works fine. Select Access Work and school on the menu. The connection at the domain Active Directory appear. Click on Info. Information about connection and sync status are present on the Windows. Event viewer can permit to verify if auto-enrollment is been applied.
This section contains some errors I may have had when I implemented auto-enrollment.Since Windows 10 this GPO policy got a change.
You can now select Device or User Authentication. If you select Device Authentication, a device token will be used to enroll the device, but this is not supported for Intune, based on this Docs article. Also, another error caused in the Eventlog which indicates, that the GPO setting must be misconfigured:. As soon this GPO policy is applied to a device, a scheduled task is created and triggers the enrollment process every 5 minutes.
If you check the arguments for this specific task, you probably realize that the argument uses the string:. So, still device authentication is used. This causes our error. To test the enrollment with user auth, you can ether changing the GPO to user authentication this did not change the scheduled task arguments in my case, even after reboots, gpupdate, etc. After that, the devices started to auto enroll into Intune. Be aware, that auto enrollment, enrollment restriction and Azure AD device registration needs to be enabled and configured for that.
Auto-enroll Windows 10 devices using Group Policy
If you use Azure MFA maybe another error will popup in the event log but not displayed to the enduser:. This will also block the enrollment process. Like Liked by 1 person. Like Like. You are commenting using your WordPress. You are commenting using your Google account. You are commenting using your Twitter account. You are commenting using your Facebook account.
Notify me of new comments via email. Notify me of new posts via email. Your users will receive a toast message that some account settings has been changed. Hope this helps! Share this: Twitter Facebook Print. Like this: Like Loading Thanks and keep up the useful content Like Liked by 1 person. Thank you. This worked for me as well Like Like. Glad it helped! Cheers, Al Like Like. Leave a Reply Cancel reply Enter your comment here Fill in your details below or click an icon to log in:.
Email required Address never made public. Name required. Post to Cancel.The enrollment into Intune is triggered by a group policy created on your local AD and happens without any user interaction. This means you can automatically mass-enroll a large number of domain-joined corporate devices into Microsoft Intune. The enrollment process starts in the background once you sign in to the device with your Azure AD account.
AUTOENROLLMENT FAILS WITH UNKNOWN ERROR 0x80180001 & 0x8018002a
In Windows 10, versionthe enrollment protocol was updated to check whether the device is domain-joined. For examples, see section 4. When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. If multi-factor authentication is required, the user will get a prompt to complete the authentication. Once the enrollment is configured, the user can check the status in the Settings page.
Since Windows 10, versiona new setting allows you to change the policy conflict winner to MDM. For additional information, see Windows 10 Group Policy vs. Intune MDM Policy who wins? To ensure that the auto-enrollment feature is working as expected, you must verify that various requirements and settings are configured correctly.
The following steps demonstrate required settings using the Intune service:. Verify that auto-enrollment is activated for those users who are going to enroll the devices into Intune. For corporate devices, the MDM user scope takes precedence if both scopes are enabled. The devices get MDM enrolled. This means that the device must be joined into both local Active Directory and Azure Active Directory. Make sure that your auto-enrollment settings are configured under Microsoft Intune instead of Microsoft Intune Enrollment.
You may contact your domain administrators to verify if the group policy has been deployed successfully. Verify that the device is not enrolled with the old Intune client used on the Intune Silverlight Portal this is the Intune portal used before the Azure portal. Verify that Azure AD allows the logon user to enroll devices.
Verify that Microsoft Intune should allow enrollment of Windows devices. This procedure is only for illustration purposes to show how the new auto-enrollment policy works. It is not recommended for the production environment in the enterprise. For bulk deployment, you should use the Group Policy Management Console process. User Credential enrolls Windows 10, version and later once an Intune licensed user logs into the device.
Device Credential will enroll the device and then assign a user later, once support for this is available. In Windows 10, versionthe MDM.Microsoft is adding more and more configuration service provider CSP settings which can be used to configure Windows 10 devices by Intune.
In my Demo tenant I setup several custom configuration profiles which contain some of those settings. I wanted to block Third Party Suggestions in Windows Spotlight and found the right setting to use on this site. I setup below custom policy and assigned it to a user group.
After forcing a sync from my Intune managed device I got some errors in the event log under Applications and Service Logs, Microsoft, Windows, DeviceManagement-Enterprise-Diagnostics-Provider with event idand The policy was assigned to a device group, first I removed that group and assigned an user group.
Nothing changed. I started searching on Google, but nothing pointed me in the right direction. An important note was added on this site under AllowWindowsConsumerFeatures about the paths to be used.
The path for AllowWindowsConsumerFeatures needs to use.
And Yes, after performing another sync, the error is gone! The setting is now applied as expected. Save my name, email, and website in this browser for the next time I comment. Recent posts. July 7, Be the first to comment Leave a Reply Cancel reply Your email address will not be published. If discussion generates more than a few emails daily your subscription will be paused automatically.
I can confirm it on my end, since this is what I see. Can you please confirm if this is the case for and later? Should we add a note to address this? Thank you. Hi again ManikaDhimando you have any update on this?
I believe it will be best if we add a note—if confirmed—regarding the different steps or options for What do you think? Hello again ManikaDhiman just following up if you have information or update regarding this. Yes the difference between user and device credentials needs to be explained. And how to troubleshoot issue with device credential. For example I'm getting the error below, but it doesn't make much sense.
Agree that this needs more explanation.
The assumption is the behavior will be similar to when using co-management where the device will enroll into Intune and get a Device Owner as soon as an Intune licenced user logs on. However, in our testing, the device does not enroll into Intune with the device token "unless" an Intune licenced user is logged on - this kind of goes against my interpretation of the GPO. Hi v-maxist, I am awaiting response from the product team on this issue.
I will update the doc as soon as I hear from them. Thank you for the update ManikaDhiman. Looking forward to the feedback of the product team. Hi all, I'm throwing my hat in the ring here as well. I've been trying to get Hybrid AAD Joins working in conjunction with this feature, to automatically enroll my devices but I don't know what to select.When you try to enroll a Windows 10 device automatically by using Group Policyyou experience the following issues:. This issue occurs when the device was previously joined to a different tenant and didn't unjoin from the tenant correctly.
In this case, the values of the following registry key still contain the information about the old tenant:. On the affected device, open an elevated Command Prompt window, and then run the following command:. Then, delete the device object from the domain controller. Then, manually initiate a sync cycle by running the following PowerShell cmdlet:. Skip to main content. Select Product Version. All Products.
Then, verify that the device is successfully enrolled in Intune. Last Updated: Oct 21, Was this information helpful? Yes No. Tell us what we can do to improve the article Submit. Your feedback will help us improve the support experience. Australia - English. Bosna i Hercegovina - Hrvatski. Canada - English. Crna Gora - Srpski. Danmark - Dansk. Deutschland - Deutsch. Eesti - Eesti. Hrvatska - Hrvatski. India - English. Indonesia Bahasa - Bahasa.
Ireland - English. Italia - Italiano. Malaysia - English. Nederland - Nederlands. New Zealand - English. Philippines - English. Polska - Polski. Schweiz - Deutsch.
Singapore - English. South Africa - English. Srbija - Srpski. Suomi - Suomi. Sverige - Svenska. United Kingdom - English.