How do I enroll devices into Intune using Group Policy in Active Directory?

Overview

This article outlines the steps to configure Microsoft Entra hybrid join for domain-joined devices using Group Policy in Active Directory. This method is suitable for environments with existing Active Directory infrastructure looking to extend capabilities to the cloud.

Step 1: Configure Group Policy for Device Registration

To enable devices in your OU to hybrid join Microsoft Entra ID:

  • Open Group Policy Management Console (GPMC)
  • Locate and open your spare GPO: * Navigate to the Group Policy Objects container.
  • Right-click your pre-created, unused spare GPO, typically named with your departmental prefix, and select Edit to open the Group Policy Management Editor.
  • Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > Device Registration
    • Edit 'Register domain-joined computers as devices' and set it to Enabled
  • Navigate to: Computer Configuration > Policies > Administrative Templates > Windows Components > MDM
    • Edit 'Enable automatic MDM enrollment using default Azure AD credentials' and set it to Enabled
    • In Options, set the 'Select Credential Type to Use:' to Device Credential.
  • Click OK

If no blank GPOs are available, submit an Active Directory Service support request and select 'Request new GPOs for your department.'

* Important: Ensure Block Inheritance is applied on your department’s endpoint OU to prevent higher-level GPOs from overriding your configuration.

Step 2: Verify Microsoft Entra Hybrid Join Status

To confirm the device has successfully hybrid joined, Log onto the device and

Open Command Prompt and run:

dsregcmd /status
  • Confirm both show as 'YES':
  • AzureAdJoined : YES
  • DomainJoined: YES

It may take more than 5 minutes after policy application for Microsoft Entra hybrid join to complete.

Other Troubleshooting options

Identify Join Failure Phase

For Windows 10 1803+, check:

  • Error Phase (e.g., join)
  • Client ErrorCode (e.g., 0x801c03f2)
  • Server Message (e.g., device object not found)

For older versions, use Event Viewer:

  • Go to: Applications and Services Log > Microsoft > Windows > User Device Registration

  • Look for Event IDs: 304, 305, 307

Key Scheduled Task: Automatic-Device-Join

  • For hybrid joined), Windows uses a built-in scheduled task to complete the registration: 
    • schtasks.exe /run /tn "Microsoft\Windows\Workplace Join\Automatic-Device-Join"

This task is triggered automatically when a device signs in and has line-of-sight to a domain controller. You can manually run it to force registration if the device is stuck in a pending state.

  • Leave and Rejoin For hybrid join issues: 
    • dsregcmd /leave
schtasks.exe /run /tn "Microsoft\Windows\Workplace Join\Automatic-Device-Join"

Additional troubleshooting steps are available on Microsoft's website.

Print Article