Enroll Hybrid Azure AD Joined devices to Intune using Group Policy
In this article we will learn how to enroll Hybrid Azure AD joined devices to Intune using group policy. I will practically demonstrate you how an administrator can enroll Hybrid Azure AD Joined Windows devices to Intune using Group Policy and we will check the status of the device post enrollment.
Table of Contents
Watch the video
To learn more about how to enroll Hybrid Azure AD joined devices to Intune using group policy, please watch this video on our YouTube channel.
What is Hybrid Azure AD join devices
When a device is joined with on-premise Active Directory and is registered with Azure AD, that device is called Hybrid Azure AD Joined device.
If you have a device that is already Hybrid Azure AD-Joined, you can enroll that device to Microsoft Intune so that you can manage and control that device from Endpoint Manager. You can deploy or remove applications on that device from Endpoint Manager, you can apply conditional access policies, or you can wipe the device. So in nutshell, when a device is enrolled in Intune, you can have a complete control over that device from Endpoint Manager/ Microsoft Intune Admin Center.
There are multiple ways to enroll Hybrid Azure AD joined device to Intune. You can use Group Policy to enable auto-enrollment or you can use Windows Autopilot with the help of a connector to enroll hybrid Azure AD joined device to Intune.
But for this demo we will create a group policy in on-premises AD to automate enrollment process for Hybrid Azure AD joined devices.
Prerequisites
You need to make sure you have Hybrid Azure AD joined devices in your Microsoft 365 Tenant. You can verify this by going to Azure Active Directory/ Microsoft Entra > Device > All devices.
You can also run DSREGCMD /STATUS command in command prompt to verify this.
If you are using Windows 10 mahcines, make sure their version is 1709 or later.
Next, you need to verify, if auto-enrollment is enabled in Microsoft Intune. Go to Microsoft Intune Admin Center > Devices > Windows > Windows Enrollment and click Automatic Enrollment. Make sure automatic enrollment is set to All or Some.
How to Enroll Hybrid Azure AD Joined devices to Intune using group policy
First we will create a group policy and then we will link that group policy to the OU (Organization Unit) where the devices are stored.
Go to Group Policy Management.
Right Click Group Policy Object, click New and give it a name.
Right click on newly created GPO and click Edit
go to Computer Configuration > Policies > Admin Templates > MDM and Double click Enable automatic MDM enrollment
Select Enable, select User Credentials under Select Creds Type.
Next, we need to link this group policy with OU where our Hybrid Azure AD joined devices are stored. In Group Policy Management, Right click on OU, click Link an existing GPO, select Group Policy that we created and click OK.
Go to the Windows 10/11 machine and run below command in command prompt to force the group policy and restart computer.
GPUPDATE /force
Verify device enrollment
Once your machine is restarted, open command prompt and run DSREGCMD /STATUS. You should see attributes as shown in below images:
You can also verify from machine settings. Click Settings > Account > Access work or school > and we can see Info option here. So that means this device is enrolled with Intune.
And if you will go to Microsoft Entra > Devices > All devices, you can now see the owner is also reflecting for the device, device is successfully enrolled with Intune, and shows compliant.
I hope this article was informative and helped you to successfully enroll Hybrid Azure AD joined devices to Intune.
Related articles
We invite you to browse our other articles on Microsoft Intune:
Demystifying Microsoft Intune: The Ultimate Guide
Decoding MDM vs MAM: A Closer Look at Mobile Management Approaches
Prepare tenant for device enrollment – Microsoft Intune
Categorize devices into groups using Device Categories in Microsoft Intune
Enrollment types for Windows devices in Microsoft Intune
Enroll corporate-owned Windows 10 devices to Microsoft Intune
Enroll personally-owned (BYOD) Windows 10 devices to Microsoft Intune
Happy Learning!