I had a number of devices that the user didn't have Intune licensing when the Azure AD Domain join was performed.
So the device appears in Azure AD as a device but the MDM column says none:
The device enrollment happens if the licensing and configuration are correct during the Out of Box Experience (OOBE) or during Azure Active Directory Join (AADJ). You can miss these opportunities because:
- the user account wasn't in the auto-enrollment scope or
- the device wasn't in Autopilot Deployment Profile scope or
- the licensing was incorrect during domain join (dsregcmd).
What do you do?
Add a Value to the Local Registry
Local registry change from here
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]
"AutoEnrollMDM"=dword:00000001
Remove reference to MAM Enrollment
For some reason although the devices had been AADJ'd they had also enrolled for MAM and that enrollment was stopping the Intune Enrollment after they received the right licensing
So this snippet of Powershell was used to look for the MAM enrollment URL and then delete the enrollment and then call the deviceenroller to trigger the auto-enrollment.
$EnrollmentsPath = "HKLM:\SOFTWARE\Microsoft\Enrollments\"
$Enrollments = Get-ChildItem -Path $EnrollmentsPath
# "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc"
$DiscoveryServerFullUrls = @("https://wip.mam.manage.microsoft.com/Enroll")
Foreach ($Enrollment in $Enrollments) {
$EnrollmentObject = Get-ItemProperty Registry::$Enrollment
if ($EnrollmentObject."DiscoveryServiceFullURL" -in $DiscoveryServerFullUrls ) {
$EnrollmentPath = $EnrollmentsPath + $EnrollmentObject."PSChildName"
Remove-Item -Path $EnrollmentPath -Recurse
& "C:\Windows\System32\deviceenroller.exe /c /AutoEnrollMDM"
}
}
Deploy a Powershell Script to do It All
<#
.NOTES
===========================================================================
Created on: 12/12/2018
Modified on: 12/12/2018
Created by: Timmy Andersson
Twitter: @TimmyITdotcom
Blog: www.timmyit.com & https://blog.ctglobalservices.com/author/tan/
===========================================================================
.DESCRIPTION
MDM Join script. Creates a registry key and a schedule task to start the process to MDM join a computer.
===========================================================================
#>
Begin {
$RegKey = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\"
$RegKey1 = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM"
$ScheduleName = "Schedule created by enrollment client for automatically enrolling in MDM from AAD"
$Date = Get-Date -Format "yyyy-MM-dd"
$Time = (Get-date).AddMinutes(5).ToString("HH:mm:ss")
$ST = @"
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
<RegistrationInfo>
<Author>Microsoft Corporation</Author>
<URI>\Microsoft\Windows\EnterpriseMgmt\Schedule created by enrollment client for automatically enrolling in MDM from AAD</URI>
<SecurityDescriptor>D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)</SecurityDescriptor>
</RegistrationInfo>
<Triggers>
<TimeTrigger>
<Repetition>
<Interval>PT5M</Interval>
<Duration>P1D</Duration>
<StopAtDurationEnd>true</StopAtDurationEnd>
</Repetition>
<StartBoundary>$($Date)T$($Time)</StartBoundary>
<Enabled>true</Enabled>
</TimeTrigger>
</Triggers>
<Principals>
<Principal id="Author">
<UserId>S-1-5-18</UserId>
<RunLevel>LeastPrivilege</RunLevel>
</Principal>
</Principals>
<Settings>
<MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
<DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
<StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
<AllowHardTerminate>true</AllowHardTerminate>
<StartWhenAvailable>true</StartWhenAvailable>
<RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
<IdleSettings>
<StopOnIdleEnd>false</StopOnIdleEnd>
<RestartOnIdle>false</RestartOnIdle>
</IdleSettings>
<AllowStartOnDemand>true</AllowStartOnDemand>
<Enabled>true</Enabled>
<Hidden>false</Hidden>
<RunOnlyIfIdle>false</RunOnlyIfIdle>
<DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
<UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
<WakeToRun>false</WakeToRun>
<ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
<Priority>7</Priority>
</Settings>
<Actions Context="Author">
<Exec>
<Command>%windir%\system32\deviceenroller.exe</Command>
<Arguments>/c /AutoEnrollMDM</Arguments>
</Exec>
</Actions>
</Task>
"@
}
Process {
New-Item -Path $RegKey -Name MDM -Force | Out-Null
New-ItemProperty -Path $RegKey1 -Name AutoEnrollMDM -Value 1 -Force | Out-Null
New-ItemProperty -Path $RegKey1 -Name UseAADCredentialType -Value 1 -Force | Out-Null
& gpupdate /force
$EnrollmentsPath = "HKLM:\SOFTWARE\Microsoft\Enrollments\"
$Enrollments = Get-ChildItem -Path $EnrollmentsPath
# "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc"
$DiscoveryServerFullUrls = @("https://wip.mam.manage.microsoft.com/Enroll")
Foreach ($Enrollment in $Enrollments) {
$EnrollmentObject = Get-ItemProperty Registry::$Enrollment
if ($EnrollmentObject."DiscoveryServiceFullURL" -in $DiscoveryServerFullUrls ) {
$EnrollmentPath = $EnrollmentsPath + $EnrollmentObject."PSChildName"
Remove-Item -Path $EnrollmentPath -Recurse
(Register-ScheduledTask -XML $ST -TaskName $ScheduleName -Force) | Out-null
}
}
}
Also at some point the device needs to have a user with Intune licensing logon interactive and then the scheduled task will Auto-Enroll in Intune MDM.
0 Comments