SOLVED

Intune auto MDM enrollment for devices already Azure AD joined?

Steel Contributor
I have a client whose fleet of Windows 10 PC's are already joined to their organizational AAD (company-ownership), without any MDM, but now would like to start using Intune. They've upgraded their licenses to AAD premium and EMS, so that they could use Intune MDM for these devices - and take advantage of MDM auto-enrollment going forward. However, is it possible to get their existing non-MDM devices to "auto enroll" into Intune, even though they are already AAD joined (prior to them getting Intune)? I can only find auto-enrollment scenarios working at AAD join time, not after the fact.
46 Replies
Welcome to the club mate. Only way to get it to work is unenroll from azure (make sure you know the local admin account pwd and the account is active) reboot and re-enrol.
2nd that , completed my site doing the above. You don’t lose user profiles . Everything stays the same when you remove and add them back in

This would require a reset to implement for intune enrollment, probably out of the OP's scope.

I have hundreds of laptops which I need to enrol to intune. I have set up the gpo to auto enrol but all they appear is under Azure AD Devices and not under All devices. I need them under all devices so that I can manage them. If I download the company portal and follow the steps then the laptop gets enrolled however I want this to be transparent and automatically enrolled. Any help??

Hi BENT17,

 

please have a look at "Scenario 8" in the article "Managing Windows 10 with Intune – The Many Ways to Enrol", you need to set two different GPOs, one that controls hybrid AAD join and one that controls Intune MDM enrollment:

 

Managing Windows 10 with Intune – The Many Ways to Enrol

https://blogs.technet.microsoft.com/microscott/managing-windows-10-with-intune-the-many-ways-to-enro...

 

Enroll a Windows 10 device automatically using Group Policy

https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatica...

 

best,

Oliver

Interesting read @Oliver Kieselbach 

 

My Devices are all domain joined on a local on prem DC and then we use the work account for authentication. In fact if I run dsregcmd /status  this is what I get 


AzureAdJoined : NO
EnterpriseJoined : NO
DomainJoined : YES

Any idea what I can do?
Hi Bent. Have you configured intune auto enrollment? If you haven’t before you configured the gpo and now the devices are local ad joined and azure ad enrolled (showing under Azure AD Devices but not all devices) i’m afraid you will have to enable auto enrollment and delete de devices from azure ad devices (do a test with only one to see before you delete everything.

Yes I have configured auto enrolment to a specific group. I then configured the MDM gpo to auto enrol also.  My devices are all local AD joined and have a work O365 account linked to the PC. I deleted the PC from under AD Azure Device, formatted the PC and once back up it re appeared under AD Azure PC but not under all devices.

This might be the solution for our problem at least for small organizations ->

 

https://docs.microsoft.com/en-us/windows/client-management/mdm/mdm-enrollment-of-windows-devices#con...

 

Check out the section:

Connecting to MDM on a desktop (Enrolling in device management)

By running that I didnt need to have the portal installed and neither did the user need to be an admin to enrol. Is there a way to automatically enrol the device automatically and skipping the manual steps?

Hey.

Can you double check if you followed all the steps described here ??

https://docs.microsoft.com/en-us/intune/windows-enroll

Mainly the part that says that mdm and mam cannot be both set to all. (Just to be sure)

Good news to all, the "Intune In Development" site does list a feature which will be released soon that solves the agent install on devices not auto-enrolled, see here:

 

Configure your Win32 apps to be installed on Intune enrolled Azure AD joined devices 

You'll be able to assign your Win32 apps to be installed on Intune enrolled Azure AD joined devices. For more information about Win32 apps in Intune, see Win32 app management.

 

https://docs.microsoft.com/en-us/intune/in-development#configure-your-win32-apps-to-be-installed-on-...

 

best,

Oliver

@BENT17 

 

@Deleted 

 

Did you ever find a solution to automate the "Enroll only in device management" button?

 

After days of searching, finally I found a way to get powershell scripts on my AD REGISTERED (not joined) machines... and it's by using this "Enroll only in device management" button. For some reason this is different than adding your account with auto-enroll set up.

Now, my machines receive MDMFull instead of MDMFullWithAAD and I can manually install the Intune Management Extension and get powershell scripts.

 

Now if I could just apply this to my users automatically without removing them from AD and rejoining them manually. Any tips? Thanks

@Deleted 
Existing AAD Device - try bulk enrollment - it will probably rejoin the device to AAD but after a few days, I believe the records will merge.  Be patient.

https://docs.microsoft.com/en-us/intune/windows-bulk-enroll

@nick aquino 

 

Bulk enrollment requires you to send a .ppkg manually to each device that is already enrolled. Not really an option.

@Bob Manjoney,

The easiest way is to just got to the "Access Work or School" setting, and then click "Connect" again, and sign in again. This will apply the MDM policy as long as the user you're using has that license applied to them. 

 

I'm doing this now as we're deploying MDM on an Azure AD environment. It's still manual, but it's not that bad. Users could also do this if they have an MDM license. 

@wombat39This got the device into Intune, however it looks like it adds the device as BYOD device (personal) and not a corporate device. 

We have on premise AD using AD connect to sync details to AAD, all users are using M365. 

We have followed the instructions to auto enrol

https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll

but so far, none of our test clients are enrolling.

User 1 – Domain joined on local prem DC

AzureAdJoined: YES

EnterpriseJoined: NO

DomainJoined: YES

User 2 – Device joined to Azure AD

 

As other’s have mentioned, we would like to minimise the disruption to end users, hence why we were looking to use the auto enrolment option.

Frustrating situation. I found this solution. Specifically I used the powershell script and deployed via RMM agent installed on systems already. Script adds registry key then creates scheduled task to start MDM enrollment. Hope this helps someone

 

https://timmyit.com/2018/12/17/mdm-join-an-already-azure-ad-joined-windows-10-pcs-to-intune-with-a-p...