SOLVED
Home

Intune auto MDM enrollment for devices already Azure AD joined?

Highlighted
Frequent Contributor
I have a client whose fleet of Windows 10 PC's are already joined to their organizational AAD (company-ownership), without any MDM, but now would like to start using Intune. They've upgraded their licenses to AAD premium and EMS, so that they could use Intune MDM for these devices - and take advantage of MDM auto-enrollment going forward. However, is it possible to get their existing non-MDM devices to "auto enroll" into Intune, even though they are already AAD joined (prior to them getting Intune)? I can only find auto-enrollment scenarios working at AAD join time, not after the fact.
35 Replies
Solution

Hi Bob,

 

auto-enrollment is not supported when not used with OOBE and AADJ. But you could use an approach to guide users to MDM enrollment by sending out deep links via email for example. See here:

 

https://docs.microsoft.com/en-us/windows/client-management/mdm/mdm-enrollment-of-windows-devices#con...

 

best,

Oliver

Hi Oliver,

 

so what should companies which are long using AAD joined devices and want to start using Intune leveraging the Intune Management Extension do??  since the extension is only installed once MDM is Auto Enrolled and the MDM cannot be auto enrolled because the client is already joined to Azure AD.

 

Whats the best solution for that?

 

Thanks

I have the same issue , did you find a solution

Hi,

may you PM me some more details about how many devices are blocked by this and some more details. This would be helpful for MS.

 

best,

Oliver

I have similiar case here. We have around 40 laptop users using O365 and devices are connected to Azure AD. Now I want to deploy M365 and Intune for them. I have upgraded users subscription to M365 and Windows version has been upgraded automatically to Windows 10 business as should. Computers won't pop-up automatically to Intune… I have read that I should cut the current connection to Azure AD from each Workstation and re-join devices again manually to Azure AD. I have tested this and computers will pop-up in Intune. This will do the trick, but isn't there a simpler way?

At scale this would be so painful to do, I wonder if MS is working on this. I've had the same thoughts.

Hi Guys,

 

Haven't had a chance to try this out in my lab, but it looks like enrolment can be triggered with Group Policy "starting Windows 10, version 1709 you can use a Group Policy to trigger auto-enrolment to MDM for Active Directory (AD) domain joined devices."

 

"When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. "

 

https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatica...

 

Hope this helps!

 

The devices are already and only azure ad joined. As mentioned the solution seems to be leave azure ad and re-join, what is really impracticable for large deployments

Ok... so to make sure I'm following your scenario :)

 

You have a large deployment of W10 machines in Workgroups (not joined to on-prem Active Directory), which have been Azure device joined (not Hybrid/ADDJ) and you want trigger Intune auto-enrolment?

 

Precisely. The need to trigger auto enroll is because i will be heavily using the intune management extension (which is auto deployed only when auto enroll is used)

Hi Jose,

 

Spent some time testing your scenario in my lab, and as suspected, you don't need to leave AAD and rejoin to trigger silent auto-enrolment :)

 

Please start another thread, tag me and we'll walk through my results.

 

Kind regards,

Matt

Matt, could you please post your method here in this thread, since it's where the question was originally posted?

 

Thanks!

Bob

Hi All,

 

Auto-Enrolment can be triggered using local policy. Please ensure users are logging into Windows using their Azure AD credentials, the device is Azure AD joined and users have been assigned Intune licenses.

 

Local policy can be configured using GPEdit.msc or applying the registry key below. Agreed this doesn't help in scenarios where you have roaming users, however the reg key could be deployed using PowerShell when users visit the Office.

 

** Tested using W10 - 1809

 

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]
"AutoEnrollMDM"=dword:00000001

Hey José,

 

currently the supported way is to re-join to trigger Intune Management Extension installation via auto-enroll. The only thing I can tell is the product group is aware of this. No information if it will change but they are aware.

 

best,

Oliver

Thanks for the reply Oliver. I was just looking for an official confirmation that this is the only supported way. Its going to be tough tell that to our clients but it is what it is.

 

Thanks

Yes that is the only way, had to do it for at least 50 laptops

Hi Kaya,

thanks for your reply but that doest work because the devices are currently not managed by Intune 

 

"For this blog I have the following assumptions;

  • You have Windows AutoPilot already up and running in your Azure tenant like described in my previous blog
  • You have Windows 10 devices in use that are currently managed by Microsoft Intune but are not registered with Windows AutoPilot."

Imagine a following scenario, a company which is cloud only and all the devices (hundreds) are joined to Azure AD. They never seem the benefits of Intune before so the MDM was never configured. Now they are getting into the idea of managing these devices via Intune only and leverage the App Distribution provided by Intune (which requires Intune Management Extension). The only way the Management Extension is installed automatic is when the device is joined to Azure AD. So for this company be enabled with Intune and the Mgmt Extension they need to manually re-join all its devices to Azure AD.

 

That is Sadly the only way it currently works.

 

 

I am running into this exact same scenario. The previous director of IT only enrolled in the office 365 plan with Azure Active Directory, and we now want to use MDM with InTune and its turning out that we can't because everyone is already signed into Azure Active Directory 

Welcome to the club mate. Only way to get it to work is unenroll from azure (make sure you know the local admin account pwd and the account is active) reboot and re-enrol.
2nd that , completed my site doing the above. You don’t lose user profiles . Everything stays the same when you remove and add them back in

This would require a reset to implement for intune enrollment, probably out of the OP's scope.

I have hundreds of laptops which I need to enrol to intune. I have set up the gpo to auto enrol but all they appear is under Azure AD Devices and not under All devices. I need them under all devices so that I can manage them. If I download the company portal and follow the steps then the laptop gets enrolled however I want this to be transparent and automatically enrolled. Any help??

Hi BENT17,

 

please have a look at "Scenario 8" in the article "Managing Windows 10 with Intune – The Many Ways to Enrol", you need to set two different GPOs, one that controls hybrid AAD join and one that controls Intune MDM enrollment:

 

Managing Windows 10 with Intune – The Many Ways to Enrol

https://blogs.technet.microsoft.com/microscott/managing-windows-10-with-intune-the-many-ways-to-enro...

 

Enroll a Windows 10 device automatically using Group Policy

https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatica...

 

best,

Oliver

Interesting read @Oliver Kieselbach 

 

My Devices are all domain joined on a local on prem DC and then we use the work account for authentication. In fact if I run dsregcmd /status  this is what I get 


AzureAdJoined : NO
EnterpriseJoined : NO
DomainJoined : YES

Any idea what I can do?
Hi Bent. Have you configured intune auto enrollment? If you haven’t before you configured the gpo and now the devices are local ad joined and azure ad enrolled (showing under Azure AD Devices but not all devices) i’m afraid you will have to enable auto enrollment and delete de devices from azure ad devices (do a test with only one to see before you delete everything.

Yes I have configured auto enrolment to a specific group. I then configured the MDM gpo to auto enrol also.  My devices are all local AD joined and have a work O365 account linked to the PC. I deleted the PC from under AD Azure Device, formatted the PC and once back up it re appeared under AD Azure PC but not under all devices.

This might be the solution for our problem at least for small organizations ->

 

https://docs.microsoft.com/en-us/windows/client-management/mdm/mdm-enrollment-of-windows-devices#con...

 

Check out the section:

Connecting to MDM on a desktop (Enrolling in device management)

By running that I didnt need to have the portal installed and neither did the user need to be an admin to enrol. Is there a way to automatically enrol the device automatically and skipping the manual steps?

Hey.

Can you double check if you followed all the steps described here ??

https://docs.microsoft.com/en-us/intune/windows-enroll

Mainly the part that says that mdm and mam cannot be both set to all. (Just to be sure)

Good news to all, the "Intune In Development" site does list a feature which will be released soon that solves the agent install on devices not auto-enrolled, see here:

 

Configure your Win32 apps to be installed on Intune enrolled Azure AD joined devices 

You'll be able to assign your Win32 apps to be installed on Intune enrolled Azure AD joined devices. For more information about Win32 apps in Intune, see Win32 app management.

 

https://docs.microsoft.com/en-us/intune/in-development#configure-your-win32-apps-to-be-installed-on-...

 

best,

Oliver

@BENT17 

 

@Zerobit_0101 

 

Did you ever find a solution to automate the "Enroll only in device management" button?

 

After days of searching, finally I found a way to get powershell scripts on my AD REGISTERED (not joined) machines... and it's by using this "Enroll only in device management" button. For some reason this is different than adding your account with auto-enroll set up.

Now, my machines receive MDMFull instead of MDMFullWithAAD and I can manually install the Intune Management Extension and get powershell scripts.

 

Now if I could just apply this to my users automatically without removing them from AD and rejoining them manually. Any tips? Thanks

@Zerobit_0101 
Existing AAD Device - try bulk enrollment - it will probably rejoin the device to AAD but after a few days, I believe the records will merge.  Be patient.

https://docs.microsoft.com/en-us/intune/windows-bulk-enroll

@nick aquino 

 

Bulk enrollment requires you to send a .ppkg manually to each device that is already enrolled. Not really an option.

Related Conversations