Forum Discussion

Alex Carlock's avatar
Alex Carlock
Iron Contributor
Jul 17, 2020

Transitioning remote computers from Classic to Modern intune

We're in the process of transitioning from Classic (silverlight/application based) Intune to Modern Azure integrated Intune for our Windows 10 computers.  all of our computers are remote and rarely V...
enrollment
Intune
mobile device management (mdm)
ShellBlazer's avatar
ShellBlazer
Brass Contributor
Jul 17, 2020

Alex Carlock 

 

Hey Alex, 

 

The actual enrollment is triggered by a scheduled task that is created when the GPO is applied. 

I have not tried creating that task in anyway so far, but this is something you could investigate. 

 

You can find more on this process at: https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

 

Detecting the VPN's and remotely triggering the GPUpdate on the connected devices might be something you could look into as well. 

  • Alex Carlock's avatar
    Alex Carlock
    Iron Contributor
    Jul 18, 2020

    ShellBlazer That article is what we used to setup our GPO for automatic enrollment.  the interesting thing is that manually creating the registry keys that the GPO creates doesn't trigger windows to create the Scheduled task.  I may look into creating the Scheduled task via a script, I don't know if it'll matter that it's created in a different place in the Task scheduler hierarchy.

     

    All the users have the VPN connection on their system and most should have their credentials saved.  My issue is that I don't know how to trigger a connection under the user's context via a Classic Intune script.  I think all classic Intune scripts run under the System context.  That context won't have saved user credentials to connect to the VPN, and I'm not comfortable including the credentials in a batch file.  Thoughts about that would be helpful if you have any.

     

    Thanks.

    • Moe_Kinani's avatar
      Moe_Kinani
      Bronze Contributor
      Jul 19, 2020
      Hi Alex,

      In order to enroll to Modern Intune, you need to unenroll from classic which can be done from silverlight portal.

      Use one of the two methods below-

      1. Use Connect to MDM using deep link. It explained in details below-

      https://docs.microsoft.com/en-us/windows/client-management/mdm/mdm-enrollment-of-windows-devices#con...

      2. This scenario can be done if you have another way to use powershell remotely without classic Intune, in my case I had different tool to push the reg after decommissioning Classic Intune.

      Needs at least Windows 10 1809

      [HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]
      "AutoEnrollMDM"=dword:00000001

      Hope this helps!
      Moe
      • Alex Carlock's avatar
        Alex Carlock
        Iron Contributor
        Aug 04, 2020

        I wanted to post an update about our progress.  We'd originally pushed out the AutoEnrollMDM value using Classic Intune, and on a few computers, they automatically enrolled in Modern Intune as soon as Classic Intune was removed using the Silverlight console.  Then we found it wasn't working for the majority of our computers (hence looking for another way).  We thought of somehow scripting a VPN connec/GPUpdate/VPN Disconnect, but I an only seem to get classic Intune to interact with Local System, but VPN credentials are stored at the User level (if they've opted to save them), so that didn't work.  We ended up removing systems from Classic Intune and then emailing users to VPN connect/GPUpdate/VPN disconnect.  That's worked for most users.  There have been a few we've had to troubleshoot, but that likely would have been the case no matter what method we used.

         

        I wish I had a more enlightened method to share.  But at least our transition is just about complete.

Resources