Forum Discussion
Intune auto MDM enrollment for devices already Azure AD joined?
Hi Bob,
auto-enrollment is not supported when not used with OOBE and AADJ. But you could use an approach to guide users to MDM enrollment by sending out deep links via email for example. See here:
best,
Oliver
Hi Bob,
auto-enrollment is not supported when not used with OOBE and AADJ. But you could use an approach to guide users to MDM enrollment by sending out deep links via email for example. See here:
best,
Oliver
Hi Oliver,
so what should companies which are long using AAD joined devices and want to start using Intune leveraging the Intune Management Extension do?? since the extension is only installed once MDM is Auto Enrolled and the MDM cannot be auto enrolled because the client is already joined to Azure AD.
Whats the best solution for that?
Thanks
- I have the same issue , did you find a solution
Hi,
may you PM me some more details about how many devices are blocked by this and some more details. This would be helpful for MS.
best,
Oliver
I have similiar case here. We have around 40 laptop users using O365 and devices are connected to Azure AD. Now I want to deploy M365 and Intune for them. I have upgraded users subscription to M365 and Windows version has been upgraded automatically to Windows 10 business as should. Computers won't pop-up automatically to Intune… I have read that I should cut the current connection to Azure AD from each Workstation and re-join devices again manually to Azure AD. I have tested this and computers will pop-up in Intune. This will do the trick, but isn't there a simpler way?
- At scale this would be so painful to do, I wonder if MS is working on this. I've had the same thoughts.
Hi Guys,
Haven't had a chance to try this out in my lab, but it looks like enrolment can be triggered with Group Policy "starting Windows 10, version 1709 you can use a Group Policy to trigger auto-enrolment to MDM for Active Directory (AD) domain joined devices."
"When the auto-enrollment Group Policy is enabled, a task is created in the background that initiates the MDM enrollment. The task will use the existing MDM service configuration from the Azure Active Directory information of the user. "
Hope this helps!
Deleted
Existing AAD Device - try bulk enrollment - it will probably rejoin the device to AAD but after a few days, I believe the records will merge. Be patient.
https://docs.microsoft.com/en-us/intune/windows-bulk-enrollBulk enrollment requires you to send a .ppkg manually to each device that is already enrolled. Not really an option.
Hello, if its for Autopilot you can try that what Robin posted in his Blog:
https://www.robinhobo.com/automatic-add-existing-windows-10-devices-to-windows-autopilot/Hi Kaya,
thanks for your reply but that doest work because the devices are currently not managed by Intune
"For this blog I have the following assumptions;
- You have Windows AutoPilot already up and running in your Azure tenant like described in my previous blog
- You have Windows 10 devices in use that are currently managed by Microsoft Intune but are not registered with Windows AutoPilot."
Imagine a following scenario, a company which is cloud only and all the devices (hundreds) are joined to Azure AD. They never seem the benefits of Intune before so the MDM was never configured. Now they are getting into the idea of managing these devices via Intune only and leverage the App Distribution provided by Intune (which requires Intune Management Extension). The only way the Management Extension is installed automatic is when the device is joined to Azure AD. So for this company be enabled with Intune and the Mgmt Extension they need to manually re-join all its devices to Azure AD.
That is Sadly the only way it currently works.
This would require a reset to implement for intune enrollment, probably out of the OP's scope.
I have hundreds of laptops which I need to enrol to intune. I have set up the gpo to auto enrol but all they appear is under Azure AD Devices and not under All devices. I need them under all devices so that I can manage them. If I download the company portal and follow the steps then the laptop gets enrolled however I want this to be transparent and automatically enrolled. Any help??
I am running into this exact same scenario. The previous director of IT only enrolled in the office 365 plan with Azure Active Directory, and we now want to use MDM with InTune and its turning out that we can't because everyone is already signed into Azure Active Directory
- Welcome to the club mate. Only way to get it to work is unenroll from azure (make sure you know the local admin account pwd and the account is active) reboot and re-enrol.
- 2nd that , completed my site doing the above. You don’t lose user profiles . Everything stays the same when you remove and add them back in
The easiest way is to just got to the "Access Work or School" setting, and then click "Connect" again, and sign in again. This will apply the MDM policy as long as the user you're using has that license applied to them.
I'm doing this now as we're deploying MDM on an Azure AD environment. It's still manual, but it's not that bad. Users could also do this if they have an MDM license.
We have on premise AD using AD connect to sync details to AAD, all users are using M365.
We have followed the instructions to auto enrol
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll
but so far, none of our test clients are enrolling.
User 1 – Domain joined on local prem DC
AzureAdJoined: YES
EnterpriseJoined: NO
DomainJoined: YES
User 2 – Device joined to Azure AD
As other’s have mentioned, we would like to minimise the disruption to end users, hence why we were looking to use the auto enrolment option.
Frustrating situation. I found this solution. Specifically I used the powershell script and deployed via RMM agent installed on systems already. Script adds registry key then creates scheduled task to start MDM enrollment. Hope this helps someone
- There is no automated way of doing this.
Or you write manuals for your users on how to do this, you can also use deep links (https://docs.microsoft.com/en-us/windows/client-management/mdm/mdm-enrollment-of-windows-devices#connect-your-windows-10-based-device-to-work-using-a-deep-link), or have an admin do this manually.- So annoying! I thought it wad bad enough having no migration path from Hybrid AAD Joined to AAD Joined.
But to not have option to just enroll an AAD Joined device is crazy.- i was in same situation. But dig more on schedule with intune. found following command and added some parameters. All my devices are in Intune now.
here is the command i ran
c:\windows\system32\deviceenroller.exe /c /AutoEnrollMDM
not sure if this works for you guys, but give it try
Hi, so we are in the same situation and use azure doman join machines but i managed to get the devices in Intune. We use a device managemen system Quest to run scripts on the machines.
1. give the user rights to enroll in intune
2. we are already using LGPO utility to push local policy's to everymachine (because they are not managed by intune yet). so we adjust the policy with the "Computer policy\administrative templates\windows components\MDM with the settings Enabled and User Credentials"
3. When applying the GPO it must be applied with admin rights under a Office365 user with admin rights in the O365 tenant. Because our Quest system can not run under a Office365 account we start a script with PSEXEC64 . example:psexec64 -c lgporunner.cmd -u user@azuredomain.com -p password /accepteula
4. lgporunner.cmd consist of:START /MIN LGPO.exe /g (directorywith LGPO settings)
START /MIN Gpupdate /forcecall c:\windows\system32\deviceenroller.exe /c /AutoEnrollMDM
5. after this the device is enrolled in our Intune.
Update:
after that the solution from this site is working to add the devices to autopilot:
https://www.robinhobo.com/automatic-add-existing-windows-10-devices-to-windows-autopilot/
MTSBob
I too have just run into this. After 2days of troubleshooting with my own machine (admin), and one other, I came across this thread.
I have only about 15 machines, but many of them are remote, but I can remote to them.If there have been any changes, would love to hear them.
Wish me luck.
- Yes there are...
https://call4cloud.nl/2020/05/intune-auto-mdm-enrollment-for-devices-already-azure-ad-joined
But what ever you do. don't use the enroll in mdm only option in the account settings
