Forum Discussion
Transitioning remote computers from Classic to Modern intune
We're in the process of transitioning from Classic (silverlight/application based) Intune to Modern Azure integrated Intune for our Windows 10 computers. all of our computers are remote and rarely VPN into the office. Is there a good way to automate this transition?
All corporate computers are Local AD joined and Synched into Azure AD. We created a group policy to automatically enroll devices and configured Azure AD properly. When we use Silverlight to remove computers and they're in the office, they get the Group policy and they auto-enroll once the Classic application is uninstalled from the computer.
Since most computers are out of the office, we have to request that the end users VPN in, run gpupdate, and then drop off the VPN. It's not hard, but getting end users to do anything is difficult.
We tried using classic Intune to push out the registry keys and it did, but they don't seem to take effect and auto-enroll devices after the old client is removed. Here are the keys we pushed:
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM /f
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM /v AutoEnrollMDM /t REG_DWORD /d 00000001 /f
reg add HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM /v UseAADCredentialType /t REG_DWORD /d 00000001 /f
Any thoughts on a way to automate this so that once we remove the Classic Intune client, the computer auto-enrolls in Modern Intune without asking the end user to do anything?
Thanks.
- ShellBlazerBrass Contributor
Hey Alex,
The actual enrollment is triggered by a scheduled task that is created when the GPO is applied.
I have not tried creating that task in anyway so far, but this is something you could investigate.
You can find more on this process at: https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy
Detecting the VPN's and remotely triggering the GPUpdate on the connected devices might be something you could look into as well.
- Alex CarlockIron Contributor
ShellBlazer That article is what we used to setup our GPO for automatic enrollment. the interesting thing is that manually creating the registry keys that the GPO creates doesn't trigger windows to create the Scheduled task. I may look into creating the Scheduled task via a script, I don't know if it'll matter that it's created in a different place in the Task scheduler hierarchy.
All the users have the VPN connection on their system and most should have their credentials saved. My issue is that I don't know how to trigger a connection under the user's context via a Classic Intune script. I think all classic Intune scripts run under the System context. That context won't have saved user credentials to connect to the VPN, and I'm not comfortable including the credentials in a batch file. Thoughts about that would be helpful if you have any.
Thanks.
- Moe_KinaniBronze ContributorHi Alex,
In order to enroll to Modern Intune, you need to unenroll from classic which can be done from silverlight portal.
Use one of the two methods below-
1. Use Connect to MDM using deep link. It explained in details below-
https://docs.microsoft.com/en-us/windows/client-management/mdm/mdm-enrollment-of-windows-devices#con...
2. This scenario can be done if you have another way to use powershell remotely without classic Intune, in my case I had different tool to push the reg after decommissioning Classic Intune.
Needs at least Windows 10 1809
[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]
"AutoEnrollMDM"=dword:00000001
Hope this helps!
Moe