Device enrolment issue/question

Copper Contributor
Hi Community,
I have walked in a role where Intune/endpoint manager has been set up. This a cloud native environment no on premise nor config manager. I want to know if there is a way to enrol a device into endpoint without the user having to log in to a work account on the device or going through enrolment themselves. ?
20 Replies

Hi @AMR_01,

 

You can take a look at Autopilot self deploying mode.

Windows Autopilot self-deploying mode (Public Preview) | Microsoft Docs

 

But for a correct answer, what is the goal you want to achieve, what is the reason why you don't want that the user has to log on with their work account on the device?

 

Kind regards,

 

Rene

Hi @Mr_Helaas - Rene,

Thanks for replying, the real reason or two is i have one user who has a company PC (at home) and has logged in to his work account and the device shows up as Azure AD joined but fails to enrol into Endpoint Manager. The other reason is i have sent a machine direct from the manufacturer to the user and he has managed to login to his work account but the device is only AD registered and also not enrolled in to endpoint. Both are on the Enterprise Mobility + Security E3 license. I'm not sure where it has failed as there's no logs i can investigate so i thought the best way is to take it out of the user's hands to enrol? What do you think are the best options for me?
Thanks,,
Abs

Hi @AMR_01,

 

If the PC is connected to the internet and properly configured in Endpoint Manager to use Auto Pilot, the user shouldn't have problems enrolling the pc and showing in Endpoint Manager. 

 

One thought, you can enroll the pcs with DEM account and then send it to the user. You just have to change the primary user after pc is enrolled and showing Compliant in Endpoint Manager. 

 

Hope this helps!

Moe

 

Enroll devices using a device enrollment manager account - Microsoft Intune | Microsoft Docs

Hi,

The best option is ofcourse to upload the hash to intune to start enrolling them into autopilot. But I feel the "pain"
Maybe looking into a bulk enrollment like described here?

https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll
Hi Moe, The PCs are not in Endpoint Manager and i dont have Auto Pilot configured. In our setup the PC is AAD joined before it is managed by Endpoint. I think i need to look into Auto Pilot to see if this can help me solve these non enrolment issues.
Thanks,
Abs
Hi, Its a pain especially walking in to a half setup and now need to find out how we are going to you Endpoint. We are cloud native and everyone is working from home. I need to figure out how to manage all these Windows devices from scratch. I' ve been looking into Auto Pilot for future enrolment but for current one's most likely DEM? What do you think?
The provision package doesnt require a dem account.. only beware of the amount of devices 1 user can enroll 🙂 ...

Hi @AMR_01

 

I think your best option is to fix the enrollment issue. Intune will help you with managing the company devices. 

 

Can you check if your MDM enrollment settings are correct configured within Intune as I can see joining azure AD is not the problem, but only the enrollment in Intune.

 

Can you check also the enrollment restrictions and Device limit restrictions?

Mr_Helaas_0-1641488703166.png

 

 

Autopilot will not fix your problem if you are not able to join your Intune environment. Autopilot will fix your AAD registered problem, but the enrollment needs to be fixed first.

 

You can find some logs in event viewer logged under Applications and Services Logs/Microsoft/Windows/DeviceManagement-Enterprise-Diagnostics-Provider

 

Did you already check this Microsoft doc page?

Troubleshooting Windows device enrollment problems in Intune - Intune | Microsoft Docs

 

Can you try to download the company portal app on a device and check if you are able logon and manage the device by your organization? Please upload a print screen or log files if you see any errors.

 

Kind regards,

 

Rene

Hi... I didnt read that part about azure ad joined devices that arent enrolled into intune. Thats something to look into...
My first guess would be the MDM scope , I am explaining the whole process and differences between aadj/aadr and mdm/mam scope

https://call4cloud.nl/2021/08/the-battle-between-aadj-and-aadr/

Were those license purchased before the devices were azure ad joined ? if so you will need to enroll them manually into mdm /intune

https://call4cloud.nl/2020/05/intune-auto-mdm-enrollment-for-devices-already-azure-ad-joined/

I can confirm the OP's complaint. I have several BYOD devices in my tenant that are AAD Registered, show Intune as the MDM authority in my Azure portal, but do NOT appear in my Intune portal. They are accessing company information, but are completely unmanaged and also Not compliant. My tenant has been set up from the outset to force enroll all devices, and all users are properly licensed, but these devices have fallen through the cracks. MSFT Support is telling me that everyone has to enroll via Settings -> Accounts -> Work or school account, but I've enrolled computers with nothing more than a login to Teams. That leaves aside the fact that my ability to dictate how people enroll their BYOD devices from home is severely limited. For me, it's a big problem that I have to compare my Azure device list to my Intune list to find what might be missing.

To the OP, if you want to get up-to-speed on Intune very quickly, I highly recommend Scott Duffey's _Learning Microsoft Endpoint Manager_

https://www.barnesandnoble.com/w/learning-microsoft-endpoint-manager-scott-duffey/1139064650?ean=978...

The problem appears to be related to the "Use this account everywhere on your device" screen, which pops up during initial logon.

1339289.png

 

If you uncheck the "Allow my organization to manage this device" checkbox, the device will register with Azure AD and not with Intune. Sometimes Azure AD will show Intune managed, and sometimes not. I'm not sure why. I can almost guarantee that the OP's second device was enrolled in this way. 

 

MSFT should look at this process more carefully. There are holes for off-site devices to fall through, and when they do, it's very hard to recover them or even know they've been lost without doing a side-by-side comparison of your Azure devices vs. your Intune devices. 

 

OP, you can send the user this link to force enroll the device into Intune (probably best to do it from Edge):


       ms-device-enrollment:?mode=mdm 

 

It might show as a personally-owned device, however. You can change that designation in the Intune portal, but I'm not sure if that will make you able to push policies to the device. I'm testing it right now. 

 

Intune enrollment into company-owned device status can really only be done during the Out-Of-Box-Experience (OOBE) initial logon. If you don't choose the business fork, there isn't a lot you can do without reformatting and trying again. There are, however, something like 17 different methods for enrolling into Intune and I'm no super-expert. Auto-Pilot is great if you have a vendor willing and able to load device IDs into Intune for you. If not, then it's almost more of a hassle than anything else. 

 

Best of luck to you. 

@Dr_Snooze 

 

It depends... When you are making use of conditional access and only require compliant devices to access the data... You even don't get that screen, you will be prompted that you don't have access... But let's say I disable that conditional access policy, I will be prompted

 

It also depends on how the mam/mdm scope is configured, like I mentioned in the blog I posted. the mam scope will take precedence if both mam and mdm are configured to all. When the mam scope isn't configured your aadr device will be enrolled into intune

 

Azure ad and intune are totally 2 separate environments... An azure ad joined devices doesn't necessarily needs to be mdm managed and an azure ad registered device can be intune enrolled..

 

@Rudy_Ooms_MVP 

 

"the mam scope will take precedence if both mam and mdm are configured to all"

 

It's important to note that there is a giant hole in coverage here. In my tenant, I have MDM scope set to All and MAM scope set to None. Still, if someone unchecks that box, the device disappears into the dark (no MDM and no MAM either, because MAM's not set up). It all depends on what the user does with that checkbox when they are asked if they want to allow their employer to manage their personal device. Most everyone is going to uncheck it. I would. Microsoft has set me up for failure for the outset.

 

Conditional Access is the obvious solution here, but generates its own set of problems, and those problems turn into trouble tickets very quickly. 

 

Ditto MAM. It's an extremely intrusive solution (and frankly, WIP via Intune doesn't work very well at this point). 

 

In my opinion, this is a structural flaw in Intune. Devices accessing company data, should not simply disappear into a misty nether realm of non-management. I should at least be able to find them without doing a lengthy side-by-side audit of device lists. 

Thanks for your reply, doing some digging around and found that auto enrolment is confined to a group that only has one member in it to its down to the device owner to enrol. Have understood this correctly that if i set the scope to all every one that signs in the AAD with the correct license get auto enrolled? Or if it still on the device owner to go through the enrolment steps on the device ?

@Rudy_Ooms_MVP 

 

Thanks - informative blogs. 
I have a question about Auto Pilot. I managed to get 4k HH from HP and added them to the Auto Pilot devices but when it comes to doing an Auto Pilot reset it is not available:

AMR_01_1-1642078774562.png

 

Going back to the device in Auto Pilot it shows it hasn't been enrolled and no MDM:

AMR_01_2-1642078965844.png

Any ideas why its not allowing me to perform a reset?

 

 

 

 

 

Thanks for the advice - leaving device owners to enrol their devices is where all my issues start from 🙂
After you got the 4k HH you still need to manually reset the device and perform the autopilot enrollment. Only uploading the 4k hash isn't enough
When you say manually reset - reinstall windows? If so, from Intune or from the device itself or doesn't it matter?

Thanks,
Abs