This blog will show you how you could make sure, your existing Azure Ad joined devices (that are not yet enrolled into MDM / Intune) are going to be automatically enrolled into Intune.

I will divide this blog into multiple parts

1. The issue
2. Solving it
3. The Results
4. Troubleshooting the Enrollment

1.The Issue

A lot of customers will start their cloud journey by making use of Azure Ad as their Identity Provider. Most of the time, Intune wasn’t yet part of that journey. But what if you want to make sure your devices are being managed and the devices are already enrolled into azure but not into Intune?

Today I spend some time enrolling existing Azure Ad joined devices into Intune. These devices were Azure Ad joined without MDM/Intune enabled and configured.

2. Solving it

When you want to enroll your existing Azure Ad joined device into Intune, there are multiple options available to make sure the device will be enrolled into MDM/Intune

Option 1: Group Policy:  

You can open the group policy object editor and browse to

Computer Configuration > Administrative Templates > Windows Components > MDM.

And configure this setting like the picture below:

*Enable: “Automatic MDM enrollment using default Azure credentials“

*Credential Type to use: User credentials

Option 2. Registry:

Instead of changing a GPO setting, we could also change the corresponding registry setting ourselves. So just import this reg file with the required enrollment information in it.

Windows Registry Editor Version 5.00

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]
"AutoEnrollMDM"=dword:00000001
"UseAADCredentialType"=dword:00000001

It does the same as the GPO as a GPO is nothing more than a bunch registry changes… 🙂

Option 3. PowerShell

And of course, you could also just deploy this PowerShell script to your devices to make sure the device will start enrolling into MDM/Intune/Endpoint Manager

$registryPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM"
New-Item -Path $registryPath

$Name = "AutoEnrollMDM"
$Name2 = "UseAADCredentialType"
$value = "1"


new-ItemProperty -Path $registryPath -Name $name -Value $value -PropertyType DWORD -Force | Out-Null
new-ItemProperty -Path $registryPath -Name $name2 -Value $value -PropertyType DWORD -Force | Out-Null

3. Results:

When you applied one of these options I described above, you will notice a new Task will be created in the task scheduler. A new nice Category: EnterpriseMgmt will be created with a new nice task in it

Give it some time because sometimes it could really take long before the device will be enrolled into Intune successfully. Sometimes it could take over more than a few hours, also putting the device to sleep or logging out the user will keep you waiting.

4. Troubleshooting the Enrollment

When you don’t want to wait until you are an old person, and you want to speed it up.

Please enforce enrollment by running this command:

C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM

But unfortunately, sometimes there are still some leftovers in the registry when the device was MAM enrolled instead of MDM enrolled. You could clean up the registry first and run the deviceenroller afterward.

$EnrollmentsPath = "HKLM:\SOFTWARE\Microsoft\Enrollments\"
 
$Enrollments = Get-ChildItem -Path $EnrollmentsPath
  
$DiscoveryServerFullUrls = @("https://wip.mam.manage.microsoft.com/Enroll")
 
Foreach ($Enrollment in $Enrollments) {
      $EnrollmentObject = Get-ItemProperty Registry::$Enrollment
      if ($EnrollmentObject."DiscoveryServiceFullURL" -in $DiscoveryServerFullUrls ) {
            $EnrollmentPath = $EnrollmentsPath + $EnrollmentObject."PSChildName"
            Remove-Item -Path $EnrollmentPath -Recurse
            &  "C:\Windows\System32\deviceenroller.exe /c /AutoEnrollMDM"
      }
}

And if that ain’t working…. please take a look at part 2 of this blog… It will remove all the existing enrollments, device Intune certificates, and tasks. When everything is removed it will try to enrol into Intune again

Conclusion:

When your devices are already enrolled into Azure Ad, id doesn’t mean you will need to reinstall the devices to also enrol them into Intune