Intune MDM Enrollment group policy is confusing

ComputerHabit 821 Reputation points
2024-05-13T19:28:08.5466667+00:00

I am trying very hard to understand when something will actually get enrolled. I have this group policy to enroll devices.

It only works if set to User Credentials. WHY? Why is Device there? Why doesn't device work? What is Device for? The docs from MS just don't say anything meaningful.
User's image

I am trying to get devices joined that are added to AD. They do not seem to join until after a licensed user is logged in. This is SO CONFUSING!

There is supposed to be Admin based installs and you can't do that with an unregistered device but you can't register the device unless a licensed user logs in... WTF and WHY!!!!! it's crazy!!!!

HELP.

Microsoft Intune Enrollment
Microsoft Intune Enrollment
Microsoft Intune: A Microsoft cloud-based management solution that offers mobile device management, mobile application management, and PC management capabilities.Enrollment: The process of requesting, receiving, and installing a certificate.
1,274 questions
{count} votes

Accepted answer
  1. glebgreenspan 1,365 Reputation points
    2024-05-13T20:30:22.11+00:00

    Hello

    I understand your frustration!

    Let's break down the concept of "Device" and "User Credentials" in the context of group policies and device enrollment.

    Device Credentials

    In Windows, "Device Credentials" refers to the credentials used by a device to authenticate with a domain or Active Directory (AD) without requiring a user to log in. This is often used in scenarios where devices are automatically joined to the domain or AD without human intervention.

    User Credentials

    "User Credentials," on the other hand, requires a user to log in to the device before the device can be enrolled and joined to the domain or AD. This is the default behavior in most scenarios, where a user logs in and then their device is automatically enrolled.

    Why Device Credentials don't work

    When you set the group policy to use "Device Credentials," it's not possible to enroll devices without a user logging in. This is because the device is trying to authenticate with the domain or AD without a user present.

    In your scenario, where you're trying to join devices added to AD, you're correct that they won't join until a licensed user logs in. This is because the device is trying to use "Device Credentials" to authenticate, which requires a user to be present.

    Why User Credentials work

    When you set the group policy to use "User Credentials," it allows the device to be enrolled only after a user has logged in. This means that the device can authenticate with the domain or AD using the user's credentials, which is why you see devices joining after a licensed user logs in.

    What's Device for?

    In summary, "Device Credentials" is intended for scenarios where devices are automatically joined to the domain or AD without human intervention. However, this approach doesn't work when you're trying to enroll devices added to AD, as it requires a user to be present.

    Admin-based installs

    Regarding admin-based installs, you're correct that they require an enrolled device. In your scenario, since devices are not enrolled until a licensed user logs in, you can't perform an admin-based install until then.

    Conclusion

    To summarize:

    • "Device Credentials" is used for automatic device enrollment without human intervention.
    • "User Credentials" requires a user to log in before the device can be enrolled.
    • In your scenario, using "User Credentials" means that devices will join only after a licensed user logs in.
    • You can't perform an admin-based install until the device is enrolled, which requires a licensed user to log in first.

    I hope this explanation helps clarify things for you!


1 additional answer

Sort by: Most helpful
  1. Crystal-MSFT 44,421 Reputation points Microsoft Vendor
    2024-05-14T02:03:08.6666667+00:00

    @ComputerHabit, Thanks for posting in Q&A. In Fact, Device Credential is only supported for some specific Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop multi-session host pools.

    For the device which will be used by specific user, user credential needs to be set and Intune license needs to be assigned. User's image

    https://learn.microsoft.com/en-us/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy

    Hope the above information can help.


    If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

    Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.