Home M365 : Modern Desktop Administrator Associate MD-100 AutoPilot – Hybrid Machine to Intune Enrollment

AutoPilot – Hybrid Machine to Intune Enrollment

Reading Time: 4 minutes

In this blog post, we will cover the steps of a converting a Hybrid Joined Windows Device to an AutoPilot/Intune Enrolled machine. – Firstly this blog post assumes that you already have AzureAD Sync Setup and AzureAD Hybrid Device Sync configured.
For this example, in this lab, we have a computer “HYPERVLAB-PC01” which is a Windows 10 Enterprise Device.

NOTE: If you are struggling to find the device in AzureAD, You might need to force sync from your AzureAD Sync Server. – One thing that I found while creating this post is that the AD Sync wasn’t as fast as I’d liked and took around 15 minutes to catch up and sync the computer into AzureAD.

Hybrid Sync Error – Reference Note

To Check if your device has synced status with AzureAD you can run the command: dsregcmd /status

| Diagnostic Data                                                      |

     Diagnostics Reference : www.microsoft.com/aadjerrors
              User Context : UN-ELEVATED User
               Client Time : 2020-12-02 22:25:54.000 UTC
      AD Connectivity Test : PASS
     AD Configuration Test : PASS
        DRS Discovery Test : PASS
     DRS Connectivity Test : PASS
    Token acquisition Test : SKIPPED
     Fallback to Sync-Join : ENABLED

     Previous Registration : 2020-12-02 22:24:29.000 UTC
         Registration Type : sync
               Error Phase : join
          Client ErrorCode : 0x801c03f2
          Server ErrorCode : DirectoryError
            Server Message : The device object by the given id (3c849a08-096e-467c-8eab-b8a3b8f200c0) is not found.
              Https Status : 400
                Request Id : 49a1e99c-4690-4df9-bffb-630f3698dfa9

Should you get this error message, it means that the device has not synced up to the Azure Tennant, You will need to run a force sync from AzureAD Synchronization Service Manager.

From the reference computer in question, Open Command Prompt as an administrator and run the command:
dsregcmd /join.

Followed by dsregcmd /status. If the device and checked into AzureAD the Diagnostic Data should report as PASSED.

and finally from the AzureAD Portal, under devices you should see the computer in question.

Group Policy – Enable Automatic MDM Enrollment.

From the Group Policy Management Window, Lets create a new Policy.

Next, lets link the new group policy object to the OU in question “Computers”.

Select the policy we just created “[C] MS Intune – Auto MDM Enrollment.

Right-click on the policy and open then Group Policy Management Editor, The Location we are wanting is:
Computer > Polices > Administrative Templates > Windows Components > MDM.

Open the “Enable automatic MDM enrollment using default Azure AD credentials” from the dropdown select “User Credentials” – Trust me on this one, I tried Device Credential and spent two hours debugging and reading event logs!

Once the policy has been configured, we can reboot the reference computer.

We can check the status on the MDM Enrollment from the Windows Event Viewer (eventvwr.msc)

Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin.

From the Event Viewer logs, If you see an event ID value of “75”. This means that the device is passed the MDM Steps and in now enrollment into Microsoft Intune. If you don’t some further diagnostics is required. [Troubleshooting Steps]

Checking in the AzureAD Devices Portal you will see the device change from a Compliant State to None Compliant.

However, checking on the local machine under: C:\Program Files (x86). You should see the Intune Management Extension Folder.

Refreshing the Intune Portal will show the device as “Co-Managed”.

Now its time to grab a coffee, Intune needs to do its thing and complete the sync status and shortly the device will become compliant and be fully enrolled Intune device.


Please enter your comment!
Please enter your name here