The Zero-Touch Way to Move a Domain-Joined Fleet Into Intune
TL;DR
- As of May 2021, devices already joined to an on-premises Active Directory domain can be bulk-enrolled into Intune through a Group Policy Object with no end-user interaction.
- Manual enrollment through the Access work or school settings traditionally breaks because most end users are not local admins on their machines.
- Hybrid devices enrolled into Intune via GPO are classified as corporate, which keeps them under the MDM scope rather than MAM.
- Configured correctly, GPO enrollment gives MSPs the same hands-off rollout experience they expect from pushing an RMM agent.
MSPs are spoiled by RMM agents. Point the installer at a fleet, walk away, and every endpoint checks in by morning. Intune has never quite worked that way, and the gap shows the moment you try to move an existing customer environment into device management: the obvious manual route, having users enroll through the Access work or school settings, has traditionally fallen apart because the people sitting at those machines are not local admins.
There is a quieter path that gets you the RMM-style experience. For devices that are already domain joined to an on-premises Active Directory environment, a Group Policy Object can trigger Intune enrollment in bulk. Configured correctly, the entire fleet enrolls with no end-user interaction required. Nobody clicks anything, nobody needs elevated rights, and you never have to schedule a "please leave your laptop on" email campaign.
Watch the full configuration
We walk through the whole setup end to end, from the policy configuration to verifying devices land in Intune, in this video: watch the GPO enrollment tutorial on YouTube (opens in new tab).
Where GPO enrollment fits in the bigger rollout
Two related decisions determine whether this method behaves the way you expect, and both are worth settling before you push the policy:
- Auto-enrollment scopes. GPO enrollment relies on the automatic MDM enrollment settings in your tenant being configured for the right users. We cover what the MDM and MAM user scopes mean and how to set them in our breakdown of Intune auto-enrollment settings.
- Ownership classification. Hybrid devices enrolled via GPO come into Intune classified as corporate, which is exactly what you want for company-owned machines: they get the full MDM treatment instead of the lighter MAM scope. The full classification logic is in our guide to corporate vs personal devices in Intune.
For established environments, this trio of decisions, GPO enrollment for the existing domain-joined fleet, correct scopes, and clean ownership classification, is the difference between a managed estate and a pile of half-enrolled exceptions.
Frequently asked questions
Do end users have to do anything for GPO enrollment to work?
No. When the Group Policy configuration is correct, enrollment happens in the background with no end-user interaction at all. That is the main advantage over manual enrollment through Access work or school settings.
Which devices does this method apply to?
Devices that are already domain joined to an on-premises Active Directory environment. The GPO triggers automatic enrollment for those existing machines in bulk, which makes it the natural route for established fleets rather than new hardware.
Will GPO-enrolled devices show up as corporate or personal in Intune?
Corporate. Hybrid joined devices enrolled via GPO are one of the device types Intune classifies as corporate owned, so they fall under the MDM user scope and receive full device management.
Enrolled is not the same as secured
Once the fleet lands in Intune, the real question is whether compliance policies, encryption, and baselines actually hold across every tenant. CloudCapsule checks 250+ Microsoft 365 controls per tenant in about 60 seconds.
Run a free scan
Written by
Nick Ross
CEO · Microsoft MVP · Founder, T-Minus 365
Nick is not just a CEO, he's a respected thought leader and influencer in the MSP space. Tens of thousands of MSPs learn through his YouTube channel, T-Minus365. Nick has been honored as a three-time Microsoft MVP for his educational content; his expertise and influence are the backbone of our mission, ensuring that you are in the best hands when it comes to security.
Nick joined Pax8 in 2017, where he would ultimately oversee product management for PSA and Microsoft integrations. Following his tenure at Pax8, Nick has continued to demonstrate his leadership prowess as an executive at various MSPs, culminating in his most recent role at Sourcepass.
Nick holds a Bachelor's Degree in Business Management from Florida State University, as well as a Minor Degree in Entrepreneurship. In his free time, Nick is an avid hiker, reader, and fitness-junkie.


