SOLVED

Intune auto MDM enrollment for devices already Azure AD joined?

Steel Contributor
I have a client whose fleet of Windows 10 PC's are already joined to their organizational AAD (company-ownership), without any MDM, but now would like to start using Intune. They've upgraded their licenses to AAD premium and EMS, so that they could use Intune MDM for these devices - and take advantage of MDM auto-enrollment going forward. However, is it possible to get their existing non-MDM devices to "auto enroll" into Intune, even though they are already AAD joined (prior to them getting Intune)? I can only find auto-enrollment scenarios working at AAD join time, not after the fact.
46 Replies

@wombat39 

 

That won't work - it will come up with a message saying 'This device is already joined to Azure Active Directory'.

 

And it will do the same if you go to 'portal.manage.microsoft.com' and click the device to enrol.

There is no automated way of doing this.
Or you write manuals for your users on how to do this, you can also use deep links (https://docs.microsoft.com/en-us/windows/client-management/mdm/mdm-enrollment-of-windows-devices#con...), or have an admin do this manually.
So annoying! I thought it wad bad enough having no migration path from Hybrid AAD Joined to AAD Joined.

But to not have option to just enroll an AAD Joined device is crazy.
i was in same situation. But dig more on schedule with intune. found following command and added some parameters. All my devices are in Intune now.
here is the command i ran
c:\windows\system32\deviceenroller.exe /c /AutoEnrollMDM

not sure if this works for you guys, but give it try

Hi, so we are in the same situation and use azure doman join machines but i managed to get the devices in Intune. We use a device managemen system Quest to run scripts on the machines.

 

1. give the user rights to enroll in intune


2. we are already using LGPO utility to push local policy's to everymachine (because they are not managed by intune yet). so we adjust the policy with the "Computer policy\administrative templates\windows components\MDM with the settings Enabled and User Credentials"


3. When applying the GPO it must be applied with admin rights under a Office365 user with admin rights in the O365 tenant. Because our Quest system can not run under a Office365 account we start a script with PSEXEC64 . example:

psexec64 -c lgporunner.cmd -u user@azuredomain.com -p password /accepteula


4. lgporunner.cmd consist of:

START /MIN LGPO.exe /g (directorywith LGPO settings)
START /MIN Gpupdate /force

call c:\windows\system32\deviceenroller.exe /c /AutoEnrollMDM

 

5. after this the device is enrolled in our Intune.

 

Update:

after that the solution from this site is working to add the devices to autopilot:

https://www.robinhobo.com/automatic-add-existing-windows-10-devices-to-windows-autopilot/

@MTSBob 
I too have just run into this. After 2days of troubleshooting with my own machine (admin), and one other, I came across this thread.

I have only about 15 machines, but many of them are remote, but I can remote to them. 

 

If there have been any changes, would love to hear them.

 

Wish me luck.

Yes there are...
https://call4cloud.nl/2020/05/intune-auto-mdm-enrollment-for-devices-already-azure-ad-joined
But what ever you do. don't use the enroll in mdm only option in the account settings