Forum Discussion

StuartK73's avatar
StuartK73
Steel Contributor
Dec 17, 2019

Enroll existing Azure AD Joined W10 Devices into Intune

Hi All   What is the best way to enroll existing  / live / already in use Azure AD Joined W10 devices into Intune?   I have tried deep linking and get a privileges error.   Info greatly appreci...
Intune
mobile device management (mdm)
Thijs Lecomte's avatar
Thijs Lecomte
Bronze Contributor
Jun 04, 2020

Orion-Skol 

In the Access work/school account you can enroll into MDM only.

 

I just tested this in my lab and it works great

 

 

TG's avatar
TG
Copper Contributor
May 23, 2022

Thijs Lecomte this is NOT the solution.

 

If the device is already JOINED to Azure AD, and then if you select "Enroll only in device management", the device will join Intune as a personal device. This is bad. Don't do it.

 

The only real solution to this, is to do one of the following:

  1. Reset the device
  2. Create a local user account with admin privs, log into it, Disconnect the Azure AD Joined account in "Access work or school" settings, run this MS deep link "ms-device-enrollment:?mode=aadj&ownership=3" which will join it to AAD and Intune as corporate device, log back into Windows via AAD account, remove local account.

So in reality, the easiest way is to reset the device. But if that's not possible, you'll have to drag the end user through option #2 to fix it.

  • DriekDesmet's avatar
    DriekDesmet
    Copper Contributor
    Mar 06, 2023
    AAD joined & must enroll to intune later?
    Just user GPO?
    "Computer Configuration > Administrative Templates > Windows Components > MDM."
    "*Enable: “Automatic MDM enrollment using default Azure credentials“
    *Credential: User credentials"
  • TG's avatar
    TG
    Copper Contributor
    Jan 27, 2023

    labandlearn 

    To AAD Join and Enroll in Intune as you mentioned, will require local admin privileges. If end users do not have local admin rights, an IT admin will need to help with it. Someone with local admin rights can run the command to AAD Join the device. If an end-user without admin rights runs it, it will not work. The end-user then uses their AAD credentials to enroll. After enrollment, reboot and log in to Windows with AAD email/password. Then the IT admin needs to help the end-user migrate over their old user profile. Ensure the end-user is Intune licensed before enrolling. Auto-enrollment is nice to have set up as well.

     

    There's two supported scenarios in your case:

    1. AAD Joined + Intune enrolled device: you must log in to Windows using your AAD email/password. This is considered corporate joined / corporate owned.

    2. AAD Registered + Intune enrolled: you continue logging in to Windows with your local user account, the device is AAD registered and is considered a personal / BYOD in AAD and personal owned in Intune.
  • labandlearn's avatar
    labandlearn
    Copper Contributor
    Jan 27, 2023

    TG 

    Hi

    Could you please give an advise?

     

    In our company we've a bunch of local users, at least 10 users / devices with local account ( no admin rights) and now we need to move then to AAD / Intunes for purpose of management, we don't have any on-prem domain or infrastructure, user they have only the O365 license set to their Windows 10 devices (Outlook, OneDrive, Excel file etc...)

     

    I was planning to "Join this device to Azure Active Directory" from Set up a work or school account. but my question is once this done, do I need to copy the local profile ? There is another way to manage my scenario smoothly as reset pc is not an option.

     

    Thank you in advance.

    Luis Loreiro