Mar 21 2023 05:18 AM
Any suggestions on best way to join AzureAD devices to Intune.
Users do not have admin access and are synced from Onpremises to AAD.
I need to have zero user interaction as I am using RMM tool to deploy the scripts.
tried below :
$key = 'SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\*'
$keyinfo = Get-Item "HKLM:\$key"
$url = $keyinfo.name
$url = $url.Split("\")[-1]
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\$url"
New-ItemProperty -LiteralPath $path -Name 'MdmEnrollmentUrl' -Value 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmTermsOfUseUrl' -Value 'https://portal.manage.microsoft.com/TermsofUse.aspx' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmComplianceUrl' -Value 'https://portal.manage.microsoft.com/?portalAction=Compliance' -PropertyType String -Force -ea SilentlyContinue;
C:\Windows\System32\deviceenroller.exe /c /AutoEnrollMDM
However got an error when trying to run deviceenroller through RMM :
"DeviceEnroller.exe" is not recognized as an internal or external command
though I was able to run the command from the client directly but nothing is happening and endpoint is not appearing in Intune after few hours.
Mar 21 2023 09:22 AM - edited Mar 21 2023 09:27 AM
Looks like a part of mine script from my website 😛
We are using a bit of the same script to enroll the device into Intune. WHen we deploy it as a script in solarwinds/nable it works like expected.
What happens if you change it to this:
$EnrollmentProcess = Start-Process -FilePath "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/C /AutoenrollMDM" -NoNewWindow -Wait -PassThru
Mar 21 2023 10:43 AM
Mar 21 2023 10:46 AM
Mar 21 2023 03:50 PM - edited Mar 22 2023 11:24 PM
Solutionalmost as if it is looking for the proper version ..32/64 .... that's odd.. changing the path to sysnative instead isnt working also???? also .... tanium 🙂 we can always blame mister niehaus... right 😉
Mar 23 2023 01:40 PM
thanks Rudy. i was able to get it working after tweaking the deploy method in Tanium 🙂
Mar 23 2023 01:46 PM
nice to hear ! Could you explain what you die change? For people experiencing the same issue
Mar 23 2023 01:59 PM
First ran the Option 3 (Powershell) in your solution
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM"
New-Item -Path $registryPath
$Name = "AutoEnrollMDM"
$Name2 = "UseAADCredentialType"
$value = "1"
new-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
new-ItemProperty -Path $registryPath -Name $name2 -Value $value -PropertyType DWORD -Force | Out-Null
Then ran the earlier script
$key = 'SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\*'
$keyinfo = Get-Item "HKLM:\$key"
$url = $keyinfo.name
$url = $url.Split("\")[-1]
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\$url"
New-ItemProperty -LiteralPath $path -Name 'MdmEnrollmentUrl' -Value 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmTermsOfUseUrl' -Value 'https://portal.manage.microsoft.com/TermsofUse.aspx' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmComplianceUrl' -Value 'https://portal.manage.microsoft.com/?portalAction=Compliance' -PropertyType String -Force -ea SilentlyContinue;
Finally
C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM
And it was very quick I should say
Jul 19 2024 01:22 PM
Jul 19 2024 01:24 PM
Jul 19 2024 10:03 PM
that code needs to be run on the device itself just like i am mentioning here
https://call4cloud.nl/2020/05/intune-auto-mdm-enrollment-for-devices-already-azure-ad-joined/
Mar 21 2023 03:50 PM - edited Mar 22 2023 11:24 PM
Solutionalmost as if it is looking for the proper version ..32/64 .... that's odd.. changing the path to sysnative instead isnt working also???? also .... tanium 🙂 we can always blame mister niehaus... right 😉