Forum Discussion

StuartK73's avatar
StuartK73
Iron Contributor
Dec 17, 2019

Enroll existing Azure AD Joined W10 Devices into Intune

Hi All   What is the best way to enroll existing  / live / already in use Azure AD Joined W10 devices into Intune?   I have tried deep linking and get a privileges error.   Info greatly appreci...
Intune
mobile device management (mdm)
Thijs Lecomte's avatar
Thijs Lecomte
Bronze Contributor
Jun 04, 2020
There is no need to unjoin and rejoin from AAD, you can enroll into MDM without reenrolling.

AAD is not a management tool, so there is no real way to automate this
Orion-Skol's avatar
Orion-Skol
Brass Contributor
Jun 04, 2020

Thijs Lecomte totally understand what you have said. If your Intune is setup enrolled for AllUsers and you joined AAD with user, it will automatically enrolled to Intune.

 

But if  you didn't configure Intune, devices will only joined AAD as shown below.

 

Now you mentioned i can enroll into Intune without unjoined\rejoined AAD, looking at picture below, like to know How?

 

 

  • Thijs Lecomte's avatar
    Thijs Lecomte
    Bronze Contributor
    Jun 04, 2020

    Orion-Skol 

    In the Access work/school account you can enroll into MDM only.

     

    I just tested this in my lab and it works great

     

     

    • TG's avatar
      TG
      Copper Contributor
      May 23, 2022

      Thijs Lecomte this is NOT the solution.

       

      If the device is already JOINED to Azure AD, and then if you select "Enroll only in device management", the device will join Intune as a personal device. This is bad. Don't do it.

       

      The only real solution to this, is to do one of the following:

      1. Reset the device
      2. Create a local user account with admin privs, log into it, Disconnect the Azure AD Joined account in "Access work or school" settings, run this MS deep link "ms-device-enrollment:?mode=aadj&ownership=3" which will join it to AAD and Intune as corporate device, log back into Windows via AAD account, remove local account.

      So in reality, the easiest way is to reset the device. But if that's not possible, you'll have to drag the end user through option #2 to fix it.

      • labandlearn's avatar
        labandlearn
        Copper Contributor
        Jan 27, 2023

        TG 

        Hi

        Could you please give an advise?

         

        In our company we've a bunch of local users, at least 10 users / devices with local account ( no admin rights) and now we need to move then to AAD / Intunes for purpose of management, we don't have any on-prem domain or infrastructure, user they have only the O365 license set to their Windows 10 devices (Outlook, OneDrive, Excel file etc...)

         

        I was planning to "Join this device to Azure Active Directory" from Set up a work or school account. but my question is once this done, do I need to copy the local profile ? There is another way to manage my scenario smoothly as reset pc is not an option.

         

        Thank you in advance.

        Luis Loreiro

    • Orion-Skol's avatar
      Orion-Skol
      Brass Contributor
      Jun 04, 2020

      Thijs Lecomte Do users needs to be local admin? or can user without admin permission able to execute this?   I have about over 5k computers, is there automatically like powershell i can enroll?

      • Thijs Lecomte's avatar
        Thijs Lecomte
        Bronze Contributor
        Jun 04, 2020
        The user has to be local admin.
        Which makes sense, as you wouldn't want regular users to enroll into every MDM system they like.

        Every way of enrolling into MDM, will require some kind of admin access to a device.

        I don't think there is a way to automate this.

Resources