I think this is a really interesting case and although Hybrid Azure AD Join is something I am not recommending over Azure AD Join, sometimes there are circumstances that leads to no other choice but to adjust and make the best out of the situation and plan for a better solution more long-term.
Current situation and scenario goal
The mission is to enroll all Windows devices (shared and Hybrid Azure AD Joined) to Intune and the specifications are as below:
- Windows 10 and 11 Enterprise 21H2 (or 22H2) computers which are Hybrid Azure AD Joined.
- The devices are used as shared computers, so there are no primary users of these devices.
- Intune licenses are device based, not user based which is the typical and most common scenario.
- Microsoft Endpoint Manager Configuration Manager is NOT used.
The million-dollar question is how these shared computers can be enrolled into Intune automatically? The scenario must cover both enrolling newly deployed computers as well as existing computers. The solution must be fully automated i.e., no manual steps must exist in the process.
Note: The typical GPO to enable MDM automatic enrollment via user credential cannot be used as the users do not have Intune licenses.
My thoughts on how to come to a solution came pretty much in this order, and turns out to be a real challenge
1. Use “Device Credential” in the GPO “Enable automatic MDM enrollment…”
The GPO “Enable automatic MDM enrollment using default Azure AD credentials” got a new option some years ago and can be set to “device credential” instead of the default “user credential”. Sounds like the perfect solution!
Problem: Error code 0x80180001 in the event logs “Device based token is not supported to enrollment type OnPremiseGroup PolicyCoManaged”. It turns out that this setting is only supported using MEMCM/SCCM or Azure Virtual Desktop, and obviously blocked or not meeting the technical requirements on other machines.
2. Autopilot self-deploying mode profile
That was a good idea although self-deploying profiles cannot be used as it supports only Azure AD Join and not Hybrid Azure AD Join.
3. Provisioning package – Only enrollment
Using a provisioning package (PPKG) you could potentially enroll into an MDM solution (such as Intune) using Workplace/Enrollment settings as noted in Bulk enrollment – Windows Client Management | Microsoft Docs. However, “username and password security type not supported”. However, this enrollment seems to primarily be targeted and intended for third party MDM solutions or the now long gong feature to enroll into on-premises MDM in Configuration Manager, not Intune. Or did anyone succeed in enrolling into Intune this way? If so, please ping me!
4. Provisioning package – Using bulk enrollment token
Although this way is typically used for performing Azure AD Join + automatic Intune enrollment using a Device Enrollment Manager (DEM) account, I thought I’d try it out to see what happens as I never tried this on a Hybrid Azure AD Joined computer.
Well after obtaining the bulk enrollment token through the simple wizard in Windows Imaging and Configuration Designer, I switched to advanced mode and got rid of everything from the provisioning package apart from the Azure/bulk enrollment token parts.
I then ran the provisioning package on my target test machine and the enrollment seem to have worked. Although, it resulted in another device object in Azure AD, and it successfully enrolled into Intune.
Hmm, not ideal but a big step in the right direction. Another question or thought is that even though this works technically, how far from being a supported is this scenario? Intune-device based licensing supports DEM accounts as enrollment type as per Licenses available for Microsoft Intune | Microsoft Docs, and the bulk enrollment is supported as well as per Enroll devices using a device enrollment manager account – Microsoft Intune | Microsoft Docs.
Next steps and summary
Well, automating the application of PPKG from step 4 above as part of the deployment process is easy, it needs some additional checks though as the provisioning package must only be run after the successful Hybrid Azure AD Join has taken place, otherwise I see this will fail. Not optimal and requires more testing, and even if this would work the scenario is a true corner-case!
Going back to Autopilot self-deploying mode seems a lot easier, so let’s evaluate what needs to be in place for this to become reality, overcoming the hurdles!