This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(70.4, 31%, 16%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ET%3C/text%3E%3C/svg%3E)
Hello,
I want to provision a HYRBID-JOINED Windows 10 laptop to Intune.
We know that we can do this work through Group Policy Task with MDM-auto-enrollment set up done in AAD
https://learn.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy
So to accomplish Intune Enrollment, a right person with license and within MDM-auto-enrollment scope has to log into the device.
Only after that the GPO will trigger.
Is it possible to do Intune Enrollment under ****Computer's Identity****
After all this computer is properly sitting in AAD with its own identity as registered-user through Self-sign-cert created and pushed out to AAD through AAD-connect.
Thanks.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(233.6, 30%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ECM%3C/text%3E%3C/svg%3E)
@testuser7 , From your description, it seems you want to enroll the device using device credential. If there's any misunderstanding, feel free to let us know.
Based as I know, the Device Credential is only supported for Microsoft Intune enrollment in scenarios with Co-management or Azure Virtual Desktop. If we are not in the two scenarios, we can only use User Credential to do the enrollment..
Hope it can help.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thanks @Crystal-MSFT yes, I read that.
So to enroll physical Hybrid joined laptops into Intune via GPO, I must use "User Credential"
That means that, somebody MUST sign in so that this policy can pick that signed in credentials, get the token from AAD for Intune and then enroll the device into Intune.
The "enrolled by" attribute in Intune would be that user-id.
The doc says that you can also accomplish MFA during Intune enrollment.
How does that happen from user's experience point of view ???
Per my understanding, this GPO task would be executed behind the scene once user unlocks the device and starts doing his business activities.
Thanks
@testuser7 , Yes, the AD user needs to sign in to complete the enrollment.
For the GPO, when it is applied successfully, a task scheduler with enrollment command will be created and scheduled to run every 5 minutes for the duration of one day. It can retrieve the right AAD token to start the enrollment when user login the device. Otherwise the enrollment can fail with error.
If MFA is enabled, you may run into an issue that will require users to complete an MFA challenge to enroll the device into Intune. That prompt usually takes the form of a notification that reads something like 'your account needs attention', 'there is an issue with your account', or 'login to fix your account' and etc. Once you select this prompt a traditional modern authentication window should pop up and ask for an MFA prompt. Once you complete this the device can then enroll. Sometimes it will cause issue for the enrollment. Given the situation, we usually suggest to exclude MFA during GPO enrollment to make the process to be smooth.
Hope it can help.
Excellent @Crystal-MSFT
This clarifies a lot.
@testuser7 , Thanks for the response. I am glad the information can help. If there's anything else we can help in the future, feel free to post in our Q&A. We are always glad to help.
Thanks for your time and have a nice day!