SOLVED

Best way to join AzureAD devices to Intune

Copper Contributor

Any suggestions on best way to join AzureAD devices to Intune.

 

Users do not have admin access and are synced from Onpremises to AAD.

I need to have zero user interaction as I am using RMM tool to deploy the scripts.

tried below :

$key = 'SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\*'
$keyinfo = Get-Item "HKLM:\$key"
$url = $keyinfo.name
$url = $url.Split("\")[-1]
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\$url"

New-ItemProperty -LiteralPath $path -Name 'MdmEnrollmentUrl' -Value 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmTermsOfUseUrl' -Value 'https://portal.manage.microsoft.com/TermsofUse.aspx' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmComplianceUrl' -Value 'https://portal.manage.microsoft.com/?portalAction=Compliance' -PropertyType String -Force -ea SilentlyContinue;
C:\Windows\System32\deviceenroller.exe /c /AutoEnrollMDM

 

However got an error when trying to run deviceenroller through RMM : 
"DeviceEnroller.exe" is not recognized as an internal or external command

though I was able to run the command from the client directly but nothing is happening and endpoint is not appearing in Intune after few hours.

@Intune_Support_Team 

 

 

10 Replies

Looks like a part of mine script from my website 😛
We are using a bit of the same script to enroll the device into Intune. WHen we deploy it as a script in solarwinds/nable it works like expected.

 

What happens if you change it to this: 

 

$EnrollmentProcess = Start-Process -FilePath "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/C /AutoenrollMDM" -NoNewWindow -Wait -PassThru

Yes it was your script.
running it with the changes you mentioned.
Only change in my scenario is Users do not have admin rights on the laptops.
Will update you soon on the results
unfortunately getting same error here also with deviceenroller.exe

2023-03-21T17:40:50Z|CommandLine: cmd.exe /d /c powershell.exe -ExecutionPolicy Bypass -WindowStyle Hidden -NonInteractive -NoProfile -File "USA-deviceenroller.ps1"
Start-Process : This command cannot be run due to the error: The system cannot find the file specified.
At C:\Program Files (x86)\Tanium\Tanium Client\Downloads\Action_641716\USA-deviceenroller.ps1:1 char:22
+ ... ntProcess = Start-Process -FilePath "C:\Windows\System32\DeviceEnroll ...
+ ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
+ CategoryInfo : InvalidOperation: (:) [Start-Process], InvalidOperationException
+ FullyQualifiedErrorId : InvalidOperationException,Microsoft.PowerShell.Commands.StartProcessCommand
best response confirmed by sidhinsasi (Copper Contributor)
Solution

almost as if it is looking for the proper version ..32/64 .... that's odd.. changing the path to sysnative instead isnt working also???? also  .... tanium 🙂 we can always blame mister niehaus... right 😉

@Rudy_Ooms_MVP 

 

thanks Rudy. i was able to get it working after tweaking the deploy method in Tanium 🙂 

@sidhinsasi 

 

nice to hear ! Could you explain what you die change? For people experiencing the same issue

@Rudy_Ooms_MVP 

First ran the Option 3 (Powershell) in your solution

$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM"
New-Item -Path $registryPath
$Name = "AutoEnrollMDM"
$Name2 = "UseAADCredentialType"
$value = "1"
new-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
new-ItemProperty -Path $registryPath -Name $name2 -Value $value -PropertyType DWORD -Force | Out-Null

 

Then ran the earlier script

 

$key = 'SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\*'
$keyinfo = Get-Item "HKLM:\$key"
$url = $keyinfo.name
$url = $url.Split("\")[-1]
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\$url"
New-ItemProperty -LiteralPath $path -Name 'MdmEnrollmentUrl' -Value 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmTermsOfUseUrl' -Value 'https://portal.manage.microsoft.com/TermsofUse.aspx' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmComplianceUrl' -Value 'https://portal.manage.microsoft.com/?portalAction=Compliance' -PropertyType String -Force -ea SilentlyContinue;

Finally

C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM

And it was very quick I should say

Hi,

I am confused, I have similar issues. Some of the devices are showing up in Entra and they are not Intune joined. When I search in Intune they are not showing up. How can I join these AAD joined devices to Intune?
Should this be run from the device that is not Intune joined and the device that we are trying to join to Intune which is in AAD?

@oryxway 

 

that code needs to be run on the device itself just like i am mentioning here 

 

https://call4cloud.nl/2020/05/intune-auto-mdm-enrollment-for-devices-already-azure-ad-joined/

1 best response

Accepted Solutions
best response confirmed by sidhinsasi (Copper Contributor)
Solution

almost as if it is looking for the proper version ..32/64 .... that's odd.. changing the path to sysnative instead isnt working also???? also  .... tanium 🙂 we can always blame mister niehaus... right 😉

View solution in original post