This blog will show you a possible method for ensuring that your existing Azure Ad / Entra Joined devices that are not yet MDM / Intune enrolled are automatically enrolled in Intune.
1. Introduction
Many customers start their cloud journey using Azure Ad as their Identity Provider. Most of the time, Intune wasn’t yet part of that journey. But what if you want to ensure your devices are being already managed and enrolled in Azure/Entra but not in Intune?
Today, I enrolled existing Azure Ad joined /Entra devices into Intune. Azure Ad joined these devices but without MDM/Intune enabled or configured.
This company started with only Microsoft 365 Business standard licenses. With this particular license, we will not be able to enroll the devices into Intune.
So without the possibility to enroll devices into Intune, all of the devices were only Azure Ad Joined/ Entra joined. How will we ensure we can enroll those Entra joined-only devices into Intune?
When you want to enroll your existing Azure Ad joined device into Intune, multiple options are available to ensure the device is enrolled into MDM/Intune.
Microsoft is telling us that the official supported method uses a provisioning package.
I guess there should be an easier way to do so. Before I show you the easy way, let’s first examine the requirements.
2. The Requirements
The first one is not necessarily a requirement but could make your life much easier. When we have a third-party remote management (RMM) tool installed on those devices, we will probably have the possibility to deploy some PowerShell script to those devices in system context. (at least our RMM tool has that option)
The system permissions are necessary because enrolling an existing Azure Ad Joined device into Intune has one major requirement: You must have the right privileges (local administrator) to perform that operation! Otherwise, you will end up with some nice errors.
If the permissions aren’t going to be an issue, we still need to check out some other settings. We must configure the MDM scope in Intune to ensure users can enroll their devices. As shown below, we ensured only users with a proper license (Business Premium) could enroll their devices in MDM.
Please note: Before enrolling the device, also make sure there are no enrollment restrictions(Block Personal Devices) configured!
3. Triggering the Enrollment
We need to develop a faster solution when you don’t want to go through all the steps to create a provisioning package and end up as a grumpy old man.
If you aren’t deploying this script below with system context (RMM tool requirement), we need to download and use PSExec. (Sysinternal tools)
With Psexec -s we can start the enrollment that triggers the DeviceEnroller command with these arguments /c /AutoEnrollMDM in the System context (PSEXEC).
If you don’t execute this command in the system context, you will notice a nice error mentioning: “Auto MDM ENroll: Device Credential (0x0), Failed (Access is denied). So please….use PSEXEC to kick off the enrollment if you are doing this on your own and not using an RMM tool.
Let’s continue with the script! As shown below, I also ensured that the MdmEnrollmentUrls are configured before we start the enrollment!
I got 2 PowerShell scripts.. one just doing its job and one that creates a scheduled task to do exactly the same thing.
The simple one
# Set MDM Enrollment URL's
$key = 'SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\*'
$keyinfo = Get-Item "HKLM:$key"
$url = $
$url = $url.Split("\")[-1]
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\$url"
New-ItemProperty -LiteralPath $path -Name 'MdmEnrollmentUrl' -Value '' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmTermsOfUseUrl' -Value '' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmComplianceUrl' -Value '' -PropertyType String -Force -ea SilentlyContinue;
# Trigger AutoEnroll
C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM
The Scheduled Task One
Another option you can use if you don’t want to leverage PSExec because of some ASR rules/AV Blocking it. Besides, it could be blocked and create a lot of noise if you have a SIEM. If we want to enroll our existing device into Intune without using Psexec, we could also just create a scheduled task that will literally do the exact same thing.
As shown below, this script will create a scheduled task under system context and will trigger the deviceenroller.exe with the /c /AutoEnrollMDM parameters.
$triggers = @()
$triggers += New-ScheduledTaskTrigger -At (get-date) -Once -RepetitionInterval (New-TimeSpan -Minutes 1)
$User = "SYSTEM"
$Action = New-ScheduledTaskAction -Execute "%windir%\system32\deviceenroller.exe" -Argument "/c /AutoEnrollMDM"
$Null = Register-ScheduledTask -TaskName "TriggerEnrollment" -Trigger $triggers -User $User -Action $Action -Force
Start-ScheduledTask -TaskName "TriggerEnrollment"
4. Results:
When kicking off the PowerShell script (or the scheduled task), you will need to give it some time because sometimes it could take a bit longer before the device is successfully enrolled into Intune. In the meantime, you could notice the error Auto MDM Enroll: Failed 0x8018002b (event 76) popping up in the DeviceManagement-Enterprise-Diagnostic event log.
After some time of waiting you will notice event 75 with the message that Auto MDM Enroll: Succeeded
For the people who don’t believe that this process will only take a few seconds, here you go
5. Troubleshooting the Enrollment
I removed this part from this blog because it was becoming too large, and while becoming too large, it was overshadowing the main part of the blog.
Please visit this blog if you are dealing with Intune Enrollment Errors or if you are missing the scheduled task to start the enrollment
When your devices are already enrolled in Azure Ad, you don’t need to reinstall them to ensure they are enrolled into Intune/MDM. Sometimes, enrolling a device into Intune sounds easier than it is. Hopefully, the troubleshooting part showed you how to deal with those kinds of situations!
Please Note: Wiping the device and enrolling it with Autopilot is the path you will need to take… but sometimes that path isn’t always available!