Troubleshooting Intune Windows 10 Group Policy-based auto-enrollment issues

Applies to: Microsoft Intune

Introduction


Starting in Windows 10, version 1709, you can use Group Policy to trigger auto-enrollment to MDM for Active Directory (AD) domain-joined devices. For more information, see Enroll a Windows 10 device automatically using Group Policy.

This article describes best practices and troubleshooting steps that help you fix issues during the enrollment.

Before you start troubleshooting, it’s important to verify that everything is configured correctly. If the issue can’t be fixed during verification, we can troubleshoot further by checking some important log files.

Verify the configuration


Make sure that the following items are configured correctly:

  1. Verify that a valid Intune license is assigned to the user who is trying to enroll the device.

    Check license
  2. Verify that auto-enrollment is enabled for all users who will enroll the devices in Intune. For more information, see Azure AD and Microsoft Intune: Automatic MDM enrollment in the new Portal.

    Configure automatic MDM enrollment

    • Verify that MDM user scope is set to All to allow all users to enroll a device in Intune.
    • Verify that MAM User scope is set to None. Otherwise, this setting will have precedence over the MDM scope and cause issues.
    • Verify that MDM discovery URL is set to https://enrollment.manage.microsoft.com/enrollmentserver/discovery.
  3. Verify that the device is running Windows 10, version 1709 or a later version.
  4. Verify that the devices are set to hybrid Azure AD joined. This means that the devices are both domain-joined and Azure AD-joined.

    To do this, run dsregcmd /status at the command line. Then, verify the following status values in the output:
    • Device State

      AzureAdJoined: YES
      DomainJoined: YES
       
    • SSO State

      AzureAdPrt: YES
       

    The following is a sample screenshot:

    Output

    Output

    You can find this same information in the list of Azure AD-joined devices:

    Azure joined device list

  5. If you have both the Microsoft Intune and Microsoft Intune Enrollment entries under Mobility (MDM and MAM) in the Azure AD blade, make sure that you configure the auto-enrollment settings under Microsoft Intune.

    Under MIcrosoft Intune
  6. Verify that the following Group Policy policy setting is successfully deployed to all devices that should be enrolled in Intune:
     

    Computer Configuration > Policies > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Azure AD credentials

    You can contact your domain administrators to verify that the Group Policy policy setting is deployed successfully.
  7. Make sure that the device is not enrolled in Intune by using the classic PC agent.
  8. Verify the following settings in Azure AD and Intune:

    In Azure AD Device settings:

    Azure AD device settings
    • The Users may join devices to Azure AD setting is set to All.
    • The number of devices that a user has in Azure AD doesn’t exceed the Maximum number of devices per user quota.
       
    In Intune enrollment restrictions:
     
    • Enrollment of Windows devices is allowed.

      Allow Windows to enroll

Troubleshooting


If the issue persists, examine the MDM logs on the device in the following location in Event Viewer:

Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostic-Provider > Admin

Look for Event ID 75 (Event message "Auto MDM Enroll: Succeeded"). This event indicates that the auto-enrollment succeeded.

Event ID 75

Event ID 75 is not logged in the following situations:

  • The enrollment fails.

    To verify this error, look for Event ID 76 (Event message: Auto MDM Enroll: Failed (Unknown Win32 Error code: 0x8018002b) ). This event indicates a failed auto-enrollment.

    Event ID 76


    For a resolution to this error, see Troubleshooting Windows device enrollment problems in Microsoft Intune.

  • The enrollment wasn’t triggered at all. In this case, neither event ID 75 nor event ID 76 is logged.
     

    The auto-enrollment process is triggered by the "Schedule created by enrollment client for automatically enrolling in MDM from AAD" task that's located under Microsoft > Windows > EnterpriseMgmt in Task Scheduler.

    Auto-enroll task


    This task is created when the Enable automatic MDM enrollment using default Azure AD credentials Group Policy policy setting is successfully deployed to the target device. The task is scheduled to run every 5 minutes during 1 day.

    To verify that the task is started, check the task scheduler event logs under the following location in Event Viewer:

    Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational

    When the task is triggered on the scheduler, Event ID 107 is logged.

    Event ID 107


    When the task is completed, Event ID 102 is logged. This occurs regardless of whether auto enrollment succeeds.

    Event ID 102

    Note You can use the task scheduler log to check whether auto-enrollment is triggered. However, you can’t use the log to determine whether auto-enrollment succeeded.

    The following situation may cause the Schedule created by enrollment client for automatically enrolling in MDM from AAD task not to be initiated:

    • The device is already enrolled in another MDM solution. In this case, Event ID 7016 together with error code 2149056522 is logged in the Applications and Services Logs > Microsoft > Windows > Task Scheduler > Operational event log.

      To fix this issue, unenroll the device from the MDM.
    • A Group Policy issue exists. In this case, force an update of Group Policy settings by running the following command:

      gpupdate /force


      If the issue persists, do additional troubleshooting in Active Directory.