Image result for BitLocker ICO

MDM Auto-Enrollment

As part of the implementation you will need to configure an AD Group Policy
Microsoft provides specific Group Policy extensions that are required to enroll a Windows 10 Device in MDM automatically

Read the full document below for all details
Enroll a Windows 10 device automatically using Group Policy

In the lab environment I’ve downloaded the the Group Policy Admin Templates for Windows 10

  1. On the Domain Controller install the Templates and open the following location:
    ‘C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)’
‘C:\Program Files (x86)\Microsoft Group Policy\Windows 10 November 2019 Update (1909)’

2. Move the ‘Policy Definitions’ to

Where ‘YourDomainName’ is the name of your actual domain

3. Open the Group Policy Management Console

4. Configure two policies and link them to the ‘Devices’ OU

MDM Enrollment:
Computer Configuration > Policies > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Azure AD credentials.

Desktop Security Policy:
You will need User Rights Assignment to logon to the Windows 10 VM with a standard user
Computer Configuration > Policies > Security Settings > Local Policies >User Rights Assignment > Allow Log on through Remote Desktop Services


To validate this is working as expected log on to the Windows 10 Computer

  1. Check the Event Log
    Event: 75

I would recommend the other logs that get generated which will highlight what is occurring during MDM enrollment

Note – Don’t forget to move your Windows 10 Computer to the correct OU so it will be synchronized with Azure. You may need to check or amend changes to AD Connect to ensure OUs are captured as part of the sync

For any problems with enrollment check details below

Troubleshoot auto-enrollment of devices

In Part 5 we’ll test the configuration

Image result for intune