Zehadi Alam
Introduction
Group Policy is a traditional method for managing devices in a Windows domain environment and it can be used to automatically enroll devices into Intune. This option can be useful if you have existing domain-joined devices that you wish to manage using Intune. Enrolling a device using group policy requires the device to be Microsoft Entra hybrid joined. The "hybrid joined" state refers to the condition of being joined to both on-premises Active Directory and Entra ID. Hybrid joining is configured using the Microsoft Entra Connect tool. EITS assistance is required here, since the use of this tool requires Active Directory Enterprise Admins group membership. The following section outlines the process that UGA IT units must follow to hybrid join their devices and enroll them into Intune using group policy.
Note: Hybrid joining is not the recommended long-term strategy for Intune enrollment. New and reimaged devices should ideally not be hybrid joined. See Intune Enrollment using a Provisioning Package and Intune Enrollment using Autopilot
Procedure
1. Submit an Intune support request to EITS and request the enablement of Entra hybrid join for the computers in your organizational unit in Active Directory. Specify the canonical name of the organizational unit (Right-click on the Computers OU, select properties, and click on the Object tab).
Note: If this tab is not visible, then turn on Advanced Features under the View tab
Tip: You can check if a computer is hybrid joined locally by running dsregcmd /status and verifying that both AzureAdJoined and DomainJoined is set to YES
You can also go to the Devices blade in Entra ID and search for the names of your devices after applying the hybrid joined filter.
2. Create an Entra security group for the faculty/staff supported by your unit (e.g., CAES - Faculty/Staff). This group will be used by EITS to assign an Intune license to its members. For the membership type, select Dynamic user and then click on Add dynamic query.
3. Use the following dynamic membership rule to populate the group with faculty/staff.
The value for the department property should be based on what is listed under the Organization tab in the properties of your Active Directory user object. In this example, our department starts with CAES, so that is the value that is used in the dynamic membership rule.
4. Follow steps 2-3 to create a group for the students supported by your unit (e.g., CAES - Students). They must also receive an Intune license to enroll devices into Intune. Use the following dynamic membership rule to populate the group with students.
5. Submit an Intune support request to EITS and request the addition of the two groups to the MDM user scope.
6. Create a GPO with the following setting and link it to your Computers OU that is synced with Entra ID.
Computer Configuration → Administrative Templates → Windows Components → MDM → Enable automatic MDM enrollment using default Azure AD credentials
7. Upon completion, when a user from your unit signs in to a hybrid-joined computer using their UGA credentials, the device will be enrolled into Intune. Your Intune dashboard will populate with devices to reflect this.
Note: The Intune enrollment process takes several minutes after the initial sign-in has occurred.