cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Show  only  | Search instead for 
Did you mean: 

Enroll Existing Azure AD Joined Machines to Intune

anshulj
Copper Contributor

‎Aug 25 2022 06:48 AM - edited ‎Aug 25 2022 09:39 AM

‎Aug 25 2022 06:48 AM - edited ‎Aug 25 2022 09:39 AM

Enroll Existing Azure AD Joined Machines to Intune

Hello Community,

 

We have an environment with 1500 Devices consisting around 1000 Devices which are already Azure AD Joined & around 500 Devices which are Hybrid AAD joined connected to local AD.
We want to onboard All devices to Endpoint Manager however we are unable to find a way to Bulk enroll devices to Intune. Our requirements are:

Enroll Existing Azure AD joined device to Intune without User Interaction in Bulk or through some automated approach. (We do not want to manually enter Creds to enroll neither want to reset AADJ)


Enroll Local AD joined devices in bulk without renaming the Computer Name as the Windows PPKG is forcing to rename the devices. How can we keep existing device name while enrolling. (We are aware of GPO Approach but did not tested it yet hence unaware of any Cons of using it)

What we have Tried so far and our expectations?

  • Created a Windows Provisioning Package but it does nothing on an Existing AADJ Machine except renaming its computer name.
  • We do not want to perform Manual "Enroll Only in Device Management" Step but tested it and it does Enroll Device as Personal Device and not corporate.
  • Provisioning package works well on a non-AADJ machine and enrolls the machine.
  • We cannot disconnect AADJ or Reset Devices.
  • We do not want our users to have local admin rights. (Optional)
  • We would like to have current logged on user mentioned as Primary user in endpoint manager. (Optional)
  • Do not want to use Provisioning package on Local Join Machine as it will rename them. (Optional)
  • Tested some scripts but no success.
  • Deep link do not work.
  • Our Machines are not Managed through SCCM but we do have RMM Service in the environment which can deploy Apps and Packages on the devices.

At the end our Motive is to enroll AADJ devices to Intune so we can start managing them, the enrollment process should not be a pain for our users or hampering their workflow. (We can ignore Optional requirement if its not possible to achieve )

 

Looking forward for some valuable suggestions!

Thank you!

7,704 Views
1 Like
17 Replies
Reply
17 Replies
Jannik_Reinhard

‎Aug 25 2022 08:36 AM

‎Aug 25 2022 08:36 AM

Re: Enroll Existing Azure AD Joined Machines to Intune

Did you have an look on this amazing tool from niall brady?

https://www.niallbrady.com/2022/05/22/migrate-to-the-cloud-part-1-setup/
0 Likes
Reply
anshulj

‎Aug 25 2022 09:40 AM

‎Aug 25 2022 09:40 AM

Re: Enroll Existing Azure AD Joined Machines to Intune

I do not think we are looking for what's suggested in the article you shared. Thanks
0 Likes
Reply
Rudy_Ooms_MVP

‎Aug 25 2022 10:48 AM

‎Aug 25 2022 10:48 AM

Re: Enroll Existing Azure AD Joined Machines to Intune

What happens when you run this task manually on an azure ad joined devices (to first determine if it works)

$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM"
New-Item -Path $registryPath

$Name = "AutoEnrollMDM"
$Name2 = "UseAADCredentialType"
$value = "1"
1 Like
Reply
anshulj

‎Aug 25 2022 11:15 AM - edited ‎Aug 25 2022 12:51 PM

‎Aug 25 2022 11:15 AM - edited ‎Aug 25 2022 12:51 PM

Re: Enroll Existing Azure AD Joined Machines to Intune

Thank you for your response @Rudy_Ooms_MVP 


Preview file
84 KB
0 Likes
Reply
anshulj

‎Aug 25 2022 11:39 AM - edited ‎Aug 25 2022 12:51 PM

‎Aug 25 2022 11:39 AM - edited ‎Aug 25 2022 12:51 PM

Re: Enroll Existing Azure AD Joined Machines to Intune

When i ran get-Item i get below with no value:

0 Likes
Reply
Rudy_Ooms_MVP

‎Aug 25 2022 12:31 PM

‎Aug 25 2022 12:31 PM

Re: Enroll Existing Azure AD Joined Machines to Intune

My bad forgot to copy 2 lines :)

$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM"
New-Item -Path $registryPath

$Name = "AutoEnrollMDM"
$Name2 = "UseAADCredentialType"
$value = "1"


new-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
new-ItemProperty -Path $registryPath -Name $name2 -Value $value -PropertyType DWORD -Force | Out-Null
2 Likes
Reply
anshulj

‎Aug 25 2022 12:55 PM

‎Aug 25 2022 12:55 PM

Re: Enroll Existing Azure AD Joined Machines to Intune

@Rudy_Ooms_MVP

The value is updated with the Script but it made no changes and nothing happened after i ran it. I restarted the Machine as well but the machine is still not enrolled.
Get Output
$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM"
Get-Item -Path $registryPath


Hive: HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion


Name Property
---- --------
MDM AutoEnrollMDM : 1
UseAADCredentialType : 1
0 Likes
Reply
Rudy_Ooms_MVP

‎Aug 25 2022 12:59 PM

‎Aug 25 2022 12:59 PM

Re: Enroll Existing Azure AD Joined Machines to Intune

Maybe if you follow this blog , you could determine what is happening (event log) and if the scheduled task is created… https://call4cloud.nl/2020/05/intune-auto-mdm-enrollment-for-devices-already-azure-ad-joined/

As this worked for us when we needed to enroll a couple of 100 already azure ad joined devices to intune
1 Like
Reply
anshulj

‎Aug 25 2022 01:05 PM

‎Aug 25 2022 01:05 PM

Re: Enroll Existing Azure AD Joined Machines to Intune

Thanks Rudy, I think i saw the Blog earlier but thought it may not work in our situation.i will do further testing as per the Blog suggestions and update here soon.
0 Likes
Reply
anshulj

‎Aug 25 2022 02:58 PM

‎Aug 25 2022 02:58 PM

Re: Enroll Existing Azure AD Joined Machines to Intune

Tried all steps as per the Article however the event is failing with below error:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (1DE7985E-ABE6-4B09-B008-E050367E5D**), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).
Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Date: 8/25/2022 1:38:31 PM
Event ID: 404
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: *********
Description:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (1DE7985E-ABE6-4B09-B008-E050367E5D**), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider" Guid="{3da494e4-0fe2-415c-b895-fb5265c5c8**}" />
<EventID>404</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2022-08-25T20:38:31.6613939Z" />
<EventRecordID>364</EventRecordID>
<Correlation />
<Execution ProcessID="2644" ThreadID="12188" />
<Channel>Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin</Channel>
<Computer>*********</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Message1">1DE7985E-ABE6-4B09-B008-E050367E5D**</Data>
<Data Name="Message2">MDMDeviceWithAAD</Data>
<Data Name="Message3">Policy</Data>
<Data Name="InternalCmdType">1</Data>
<Data Name="Message5">./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version</Data>
<Data Name="HexInt1">0x80070002</Data>
</EventData>
</Event>
0 Likes
Reply
anshulj

‎Aug 25 2022 03:24 PM

‎Aug 25 2022 03:24 PM

Re: Enroll Existing Azure AD Joined Machines to Intune

I have tried solving this error but it looks pretty generic & strange in our situation and i could not find a reason, i will keep exploring but please share further suggestions if there is any.
0 Likes
Reply
Rudy_Ooms_MVP

‎Aug 25 2022 10:26 PM

‎Aug 25 2022 10:26 PM

Re: Enroll Existing Azure AD Joined Machines to Intune

Fakepolicy is one you could ignore as mentioned here :
https://call4cloud.nl/2021/07/65000-days-of-night/

The device should enroll..
-Does the device has that scheduled task?
-WHen trying to speed things up as mentioned in the blog.... do you receive any error?
-Are you noticing the other events I showed in the blog?
0 Likes
Reply
anshulj

‎Aug 26 2022 06:48 AM - edited ‎Aug 26 2022 06:52 AM

‎Aug 26 2022 06:48 AM - edited ‎Aug 26 2022 06:52 AM

Re: Enroll Existing Azure AD Joined Machines to Intune

Hello Rudy,
The Machine we are testing is Windows 11 and it is updated to the Latest version:
Edition Windows 11 Enterprise
Version 21H2
Installed on ‎8/‎16/‎2022
OS build 22000.918
Serial number ****
Experience Windows Feature Experience Pack 1000.22000.918.0
--------------------
I looked into the c:\windows\policydefinitions folder and did not find the Feeds.admx file neither the FEEDS folder is showing under the Registry.

_--------------------

The errors i noticed yesterday generated in every few minutes of interval with 404 mostly & 76 eventid sometimes . i do not see a scheduled task category created in the scheduler but did ran the devicenroller.exe few times and received below errors and warnings:

Autopilot.dll WIL error was reported.
HRESULT: 0x80070491
File: onecoreuap\admin\moderndeployment\autopilot\dll\dllmain.cpp, line 138
Message: NULL
Log Name: Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService
Source: Microsoft-Windows-ModernDeployment-Diagnostics-Provider
Date: 8/26/2022 5:40:13 AM
Event ID: 1010
Task Category: None
Level: Error
Keywords:
User: AzureAD\******
Computer: ******
Description:
Autopilot.dll WIL error was reported.
HRESULT: 0x80070491
File: onecoreuap\admin\moderndeployment\autopilot\dll\dllmain.cpp, line 138
Message: NULL
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-ModernDeployment-Diagnostics-Provider" Guid="{bab3ad92-fb96-5902-450b-b8421bdec7bd}" />
<EventID>1010</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x1000000000000000</Keywords>
<TimeCreated SystemTime="2022-08-26T12:40:13.5958417Z" />
<EventRecordID>150</EventRecordID>
<Correlation />
<Execution ProcessID="13060" ThreadID="1864" />
<Channel>Microsoft-Windows-ModernDeployment-Diagnostics-Provider/ManagementService</Channel>
<Computer>Blusky-PW02C9F3</Computer>
<Security UserID="S-1-12-1-489007883-1246781830-594163853-3518620488" />
</System>
<EventData>
<Data Name="HRESULT">0x80070491</Data>
<Data Name="File">onecoreuap\admin\moderndeployment\autopilot\dll\dllmain.cpp</Data>
<Data Name="Line">138</Data>
<Data Name="Message">NULL</Data>
</EventData>
</Event>
---------------------
MDM ConfigurationManager: Command failure status. Configuration Source ID: (1DE7985E-ABE6-4B09-B008-E050367E5DD2), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).
Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Date: 8/26/2022 5:19:44 AM
Event ID: 404
Task Category: None
Level: Error
Keywords:
User: SYSTEM
Computer: **2C9F3
Description:
MDM ConfigurationManager: Command failure status. Configuration Source ID: (1DE7985E-ABE6-4B09-B008-E050367E5DD2), Enrollment Name: (MDMDeviceWithAAD), Provider Name: (Policy), Command Type: (Add: from Replace or Add), CSP URI: (./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version), Result: (The system cannot find the file specified.).
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider" Guid="{3da494e4-0fe2-415c-b895-fb5265c5c83b}" />
<EventID>404</EventID>
<Version>0</Version>
<Level>2</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2022-08-26T12:19:44.7194027Z" />
<EventRecordID>851</EventRecordID>
<Correlation />
<Execution ProcessID="10824" ThreadID="12956" />
<Channel>Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin</Channel>
<Computer>*2C9F3</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Message1">1DE7985E-ABE6-4B09-B008-E050367E5DD2</Data>
<Data Name="Message2">MDMDeviceWithAAD</Data>
<Data Name="Message3">Policy</Data>
<Data Name="InternalCmdType">1</Data>
<Data Name="Message5">./Device/Vendor/MSFT/Policy/ConfigOperations/ADMXInstall/Receiver/Properties/Policy/FakePolicy/Version</Data>
<Data Name="HexInt1">0x80070002</Data>
</EventData>
</Event>
------------------
WARNING

DeviceStatus CSP: WscGetSecurityProviderHealth(WSC_SECURITY_PROVIDER_FIREWALL) returned status 0x2 and HRESULT Incorrect function.
Log Name: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin
Source: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider
Date: 8/26/2022 5:16:33 AM
Event ID: 2750
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: *2C9F3
Description:
DeviceStatus CSP: WscGetSecurityProviderHealth(WSC_SECURITY_PROVIDER_FIREWALL) returned status 0x2 and HRESULT Incorrect function.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider" Guid="{3da494e4-0fe2-415c-b895-fb5265c5c83b}" />
<EventID>2750</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>0</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2022-08-26T12:16:33.7809003Z" />
<EventRecordID>822</EventRecordID>
<Correlation />
<Execution ProcessID="11656" ThreadID="11660" />
<Channel>Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin</Channel>
<Computer>**F3</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="Message1">WSC_SECURITY_PROVIDER_FIREWALL</Data>
<Data Name="HexInt1">0x2</Data>
<Data Name="HRESULT">0x1</Data>
</EventData>
</Event>
------------------------------------
I noticed because of the Group policy change "*Enable: “Automatic MDM enrollment using default Azure credentials“" i found below warning:

Log Name: System
Source: Microsoft-Windows-GroupPolicy
Date: 8/26/2022 6:20:56 AM
Event ID: 1085
Task Category: None
Level: Warning
Keywords:
User: SYSTEM
Computer: **C9F3
Description:
Windows failed to apply the MDM Policy settings. MDM Policy settings might have its own log file. Please click on the "More information" link.
Event Xml:
<Event xmlns="http://schemas.microsoft.com/win/2004/08/events/event">
<System>
<Provider Name="Microsoft-Windows-GroupPolicy" Guid="{aea1b4fa-97d1-45f2-a64c-4d69fffd92c9}" />
<EventID>1085</EventID>
<Version>0</Version>
<Level>3</Level>
<Task>0</Task>
<Opcode>1</Opcode>
<Keywords>0x8000000000000000</Keywords>
<TimeCreated SystemTime="2022-08-26T13:20:56.0572615Z" />
<EventRecordID>9062</EventRecordID>
<Correlation ActivityID="{c0ff9fc8-a78e-4a8e-910d-fa347050bbb9}" />
<Execution ProcessID="2800" ThreadID="18388" />
<Channel>System</Channel>
<Computer>**9F3</Computer>
<Security UserID="S-1-5-18" />
</System>
<EventData>
<Data Name="SupportInfo1">1</Data>
<Data Name="SupportInfo2">5056</Data>
<Data Name="ProcessingMode">0</Data>
<Data Name="ProcessingTimeInMilliseconds">94</Data>
<Data Name="ErrorCode">2149056522</Data>
<Data Name="ErrorDescription">The device is already enrolled. </Data>
<Data Name="DCName">
</Data>
<Data Name="ExtensionName">MDM Policy</Data>
<Data Name="ExtensionId">{7909AD9E-09EE-4247-BAB9-7029D5F0A278}</Data>
</EventData>
</Event>
--------------------------------------
As per speeding up section, i ran C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM but did not received any error on commandshell however i checked the event logs and did not find any immediate error except mentioned above which are generated in some intervals since yesterday.

---------------------------------------
Yesterday only once have got 76 event error but post that it's only 404 and couple of times i noticed 454.

-----------------------------------------

I will be testing another Windows 10 today and follow your steps but wanted to inform you that we have tested couple of Windows 10 and 11 in the past and they all failed to auto enroll.
Our system is accepting new enrollments and adding new Windows 10 or 11 machines in endpoint manager through manual azure ad join method.

0 Likes
Reply
Rudy_Ooms_MVP

‎Aug 26 2022 06:51 AM

‎Aug 26 2022 06:51 AM

Re: Enroll Existing Azure AD Joined Machines to Intune

<Data Name="ErrorDescription">The device is already enrolled. </Data> ???
0 Likes
Reply
anshulj

‎Aug 26 2022 06:59 AM

‎Aug 26 2022 06:59 AM

Re: Enroll Existing Azure AD Joined Machines to Intune

Yes it seems to be enrolled now as it was not showing earlier when i copied the warning. Boom. So what has fixed it? I am trying to see what changes could have triggered it. anything you can suggest?
0 Likes
Reply
anshulj

‎Aug 26 2022 07:23 AM

‎Aug 26 2022 07:23 AM

Re: Enroll Existing Azure AD Joined Machines to Intune

okay so i have noticed that the computer name is changed which is due to package we have installed so the package have pushed the changes! I think i need to test again on other machine where the package was not pushed to get clear idea of what fixed it.
0 Likes
Reply
Rudy_Ooms_MVP

‎Aug 26 2022 10:37 AM

‎Aug 26 2022 10:37 AM

Re: Enroll Existing Azure AD Joined Machines to Intune

Just tested it myself again... if you configure those registry keys and you use psexec to run that autoenrollmdm as system it will be enrolled into Intune within seconds!
0 Likes
Reply