Forum Discussion
Solved
Best way to join AzureAD devices to Intune
Any suggestions on best way to join AzureAD devices to Intune.
Users do not have admin access and are synced from Onpremises to AAD.
I need to have zero user interaction as I am using RMM tool to deploy the scripts.
tried below :
$key = 'SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\*'
$keyinfo = Get-Item "HKLM:\$key"
$url = $keyinfo.name
$url = $url.Split("\")[-1]
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\$url"
New-ItemProperty -LiteralPath $path -Name 'MdmEnrollmentUrl' -Value 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmTermsOfUseUrl' -Value 'https://portal.manage.microsoft.com/TermsofUse.aspx' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmComplianceUrl' -Value 'https://portal.manage.microsoft.com/?portalAction=Compliance' -PropertyType String -Force -ea SilentlyContinue;
C:\Windows\System32\deviceenroller.exe /c /AutoEnrollMDM
However got an error when trying to run deviceenroller through RMM :
"DeviceEnroller.exe" is not recognized as an internal or external command
though I was able to run the command from the client directly but nothing is happening and endpoint is not appearing in Intune after few hours.
almost as if it is looking for the proper version ..32/64 .... that's odd.. changing the path to sysnative instead isnt working also???? also .... tanium 🙂 we can always blame mister niehaus... right 😉
Looks like a part of mine script from my website 😛
We are using a bit of the same script to enroll the device into Intune. WHen we deploy it as a script in solarwinds/nable it works like expected.What happens if you change it to this:
$EnrollmentProcess = Start-Process -FilePath "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/C /AutoenrollMDM" -NoNewWindow -Wait -PassThru
- Yes it was your script.
running it with the changes you mentioned.
Only change in my scenario is Users do not have admin rights on the laptops.
Will update you soon on the results- unfortunately getting same error here also with deviceenroller.exe
2023-03-21T17:40:50Z|CommandLine: cmd.exe /d /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -NoProfile -File "USA-deviceenroller.ps1"
Start-Process : This command cannot be run due to the error: The system cannot find the file specified.
At C:\Program Files (x86)\Tanium\Tanium Client\Downloads\Action_641716\USA-deviceenroller.ps1:1 char:22
+ ... ntProcess = Start-Process -FilePath "C:\Windows\System32\DeviceEnroll ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOperationException
+ FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
