Enroll existing Azure AD Joined W10 Devices into Intune

Iron Contributor

Hi All

 

What is the best way to enroll existing  / live / already in use Azure AD Joined W10 devices into Intune?

 

I have tried deep linking and get a privileges error.

 

Info greatly appreciated

27 Replies
The reality is there is no logical and painless way.

@Thijs Lecomte 

 

This section, Work or School, is already connected to Azure AD when the devices were Azure AD Joined

There is many way to enroll Windows 10 devices intune, the best simple way is use SCCM abd Comanagement when you already have PC enrolled in SCCM.

 

In this blog (https://microscott.azurewebsites.net/2018/08/31/managing-windows-10-with-intune-the-many-ways-to-enr...) you have all different ways to enroll the a Windows 10 computer in Intune

 

Regards, 

Julien

@Stuart KingHI Stuart did you work this out? I am having same issues as you trying to enrol devices in to Intune.  Advice appreaciated

@Stuart King 

I am in same boat. I have over 5k computers, joinned with AAD. No on premise servers, all clouds, neither has SCCM. 

Deep link will give user permission issue.  The only way I found that you visit each user desk, unjoined with AAD and rejoined, during rejoined it will give user local admin rights. Plus, you need to know local admin rights. 

 

What a painful and totally unprofessional way to get in InTune.  Feel the Intune Pain...

There is no need to unjoin and rejoin from AAD, you can enroll into MDM without reenrolling.

AAD is not a management tool, so there is no real way to automate this

@Thijs Lecomte totally understand what you have said. If your Intune is setup enrolled for AllUsers and you joined AAD with user, it will automatically enrolled to Intune.

 

But if  you didn't configure Intune, devices will only joined AAD as shown below.

 

Now you mentioned i can enroll into Intune without unjoined\rejoined AAD, looking at picture below, like to know How?

 

 

intune_Joined.png

@Orion-Skol 

In the Access work/school account you can enroll into MDM only.

 

I just tested this in my lab and it works great

 

 

2020-06-04 16_33_37-Clipboard.png

@Thijs Lecomte Do users needs to be local admin? or can user without admin permission able to execute this?   I have about over 5k computers, is there automatically like powershell i can enroll?

The user has to be local admin.
Which makes sense, as you wouldn't want regular users to enroll into every MDM system they like.

Every way of enrolling into MDM, will require some kind of admin access to a device.

I don't think there is a way to automate this.

@Thijs Lecomte we can't give every user to admin permission, My auditor will yell at me and i don't think any corporation will be able to give local admin rights to users. So enrollment would failed here..

 

Can a separate user account with local admin (not a login user)enroll this while user (non admin) login

I totally hear you.... You don't want to give out local admin.

I think it's the current logged on user who needs to executes these tasks, but I am not sure. IT's something you would have to test

@Thijs Lecomte This is the reason i had mentioned above that Intune enrollment is unprofessional and not acceptable. How many corporates will give users to local admin rights to enroll Intune? If your corporate does, good luck with compliance and Auditors.

 

Why not create right click on endpoint.microsoft.com on devices and select to enroll MDM device? or with powershell?

otherwise it is total Failure...

 

 

 

 

 

Well Microsoft solutions is autoenrollment, which doesn't require local admin actually

@Thijs Lecomte How??

 

Microsoft came out and we move all computers AAD (there is no onpremise or sccm left)..

 

Now want to enroll all devices to Intune....how ? without giving user local admin

Auto enrollment enrolls into Intune when you join to AAD

This is the solution that Microsoft recommends.

For your case, there is no solution and no solution will come probably

@Thijs Lecomte I see big failure here if MS won't change this. This would be lack of security and compliance of many companies especially with financial companies. I think i would suggest my company to look for 3rd party MDM solution...good luck everyone.