How to Auto-enroll in Intune MDM after Domain Join

Written by James McDonald

August 27, 2021

I had a number of devices that the user didn’t have Intune licensing when the Azure AD Domain join was performed.

So the device appears in Azure AD as a device but the MDM column says none:

The device enrollment happens if the licensing and configuration are correct during the Out of Box Experience (OOBE) or during Azure Active Directory Join (AADJ). You can miss these opportunities because:

  1. the user account wasn’t in the auto-enrollment scope or
  2. the device wasn’t in Autopilot Deployment Profile scope or
  3. the licensing was incorrect during domain join (dsregcmd).

What do you do?

Add a Value to the Local Registry

Local registry change from here

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]
"AutoEnrollMDM"=dword:00000001

Remove reference to MAM Enrollment

For some reason although the devices had been AADJ’d they had also enrolled for MAM and that enrollment was stopping the Intune Enrollment after they received the right licensing

So this snippet of Powershell was used to look for the MAM enrollment URL and then delete the enrollment and then call the deviceenroller to trigger the auto-enrollment.

$EnrollmentsPath = "HKLM:\SOFTWARE\Microsoft\Enrollments\"

$Enrollments = Get-ChildItem -Path $EnrollmentsPath

# "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc"

$DiscoveryServerFullUrls = @("https://wip.mam.manage.microsoft.com/Enroll")

Foreach ($Enrollment in $Enrollments) {
      $EnrollmentObject = Get-ItemProperty Registry::$Enrollment
      if ($EnrollmentObject."DiscoveryServiceFullURL" -in $DiscoveryServerFullUrls ) {
            $EnrollmentPath = $EnrollmentsPath + $EnrollmentObject."PSChildName"
            Remove-Item -Path $EnrollmentPath -Recurse
            &  "C:\Windows\System32\deviceenroller.exe /c /AutoEnrollMDM"
      }
}

Deploy a Powershell Script to do It All

<#
.NOTES
===========================================================================
Created on:    12/12/2018
Modified on:   12/12/2018
Created by:    Timmy Andersson
Twitter:       @TimmyITdotcom
Blog:          www.timmyit.com & https://blog.ctglobalservices.com/author/tan/
===========================================================================
.DESCRIPTION
MDM Join script. Creates a registry key and a schedule task to start the process to MDM join a computer.
===========================================================================
#>

Begin {
 
  $RegKey = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\"
  $RegKey1 = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM"
  $ScheduleName = "Schedule created by enrollment client for automatically enrolling in MDM from AAD"
  $Date = Get-Date -Format "yyyy-MM-dd"
  $Time = (Get-date).AddMinutes(5).ToString("HH:mm:ss")
 
  $ST = @"
<?xml version="1.0" encoding="UTF-16"?>
<Task version="1.3" xmlns="http://schemas.microsoft.com/windows/2004/02/mit/task">
  <RegistrationInfo>
    <Author>Microsoft Corporation</Author>
    <URI>\Microsoft\Windows\EnterpriseMgmt\Schedule created by enrollment client for automatically enrolling in MDM from AAD</URI>
    <SecurityDescriptor>D:P(A;;FA;;;BA)(A;;FA;;;SY)(A;;FRFX;;;LS)</SecurityDescriptor>
  </RegistrationInfo>
  <Triggers>
    <TimeTrigger>
      <Repetition>
        <Interval>PT5M</Interval>
        <Duration>P1D</Duration>
        <StopAtDurationEnd>true</StopAtDurationEnd>
      </Repetition>
      <StartBoundary>$($Date)T$($Time)</StartBoundary>
      <Enabled>true</Enabled>
    </TimeTrigger>
  </Triggers>
  <Principals>
    <Principal id="Author">
      <UserId>S-1-5-18</UserId>
      <RunLevel>LeastPrivilege</RunLevel>
    </Principal>
  </Principals>
  <Settings>
    <MultipleInstancesPolicy>Queue</MultipleInstancesPolicy>
    <DisallowStartIfOnBatteries>false</DisallowStartIfOnBatteries>
    <StopIfGoingOnBatteries>false</StopIfGoingOnBatteries>
    <AllowHardTerminate>true</AllowHardTerminate>
    <StartWhenAvailable>true</StartWhenAvailable>
    <RunOnlyIfNetworkAvailable>true</RunOnlyIfNetworkAvailable>
    <IdleSettings>
      <StopOnIdleEnd>false</StopOnIdleEnd>
      <RestartOnIdle>false</RestartOnIdle>
    </IdleSettings>
    <AllowStartOnDemand>true</AllowStartOnDemand>
    <Enabled>true</Enabled>
    <Hidden>false</Hidden>
    <RunOnlyIfIdle>false</RunOnlyIfIdle>
    <DisallowStartOnRemoteAppSession>false</DisallowStartOnRemoteAppSession>
    <UseUnifiedSchedulingEngine>true</UseUnifiedSchedulingEngine>
    <WakeToRun>false</WakeToRun>
    <ExecutionTimeLimit>PT1H</ExecutionTimeLimit>
    <Priority>7</Priority>
  </Settings>
  <Actions Context="Author">
    <Exec>
      <Command>%windir%\system32\deviceenroller.exe</Command>
      <Arguments>/c /AutoEnrollMDM</Arguments>
    </Exec>
  </Actions>
</Task>
 
"@
 
}
Process {
  New-Item -Path $RegKey -Name MDM -Force | Out-Null
  New-ItemProperty -Path $RegKey1 -Name AutoEnrollMDM -Value 1 -Force | Out-Null
  New-ItemProperty -Path $RegKey1 -Name UseAADCredentialType -Value 1 -Force | Out-Null

  & gpupdate /force

  $EnrollmentsPath = "HKLM:\SOFTWARE\Microsoft\Enrollments\"
  $Enrollments = Get-ChildItem -Path $EnrollmentsPath
  
  # "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc"
  
  $DiscoveryServerFullUrls = @("https://wip.mam.manage.microsoft.com/Enroll")
  
  Foreach ($Enrollment in $Enrollments) {
    $EnrollmentObject = Get-ItemProperty Registry::$Enrollment
    if ($EnrollmentObject."DiscoveryServiceFullURL" -in $DiscoveryServerFullUrls ) {
      $EnrollmentPath = $EnrollmentsPath + $EnrollmentObject."PSChildName"
      Remove-Item -Path $EnrollmentPath -Recurse
      (Register-ScheduledTask -XML $ST -TaskName $ScheduleName -Force) | Out-null
    }
  }
}

Also at some point the device needs to have a user with Intune licensing logon interactive and then the scheduled task will Auto-Enroll in Intune MDM.

0 Comments

Submit a Comment

Your email address will not be published. Required fields are marked *

You May Also Like…