Intune – “Steps for Windows 10 Automated MDM Enrollment into Microsoft Intune”

Business Case

I recently had a scenario at a customer where we needed to very quickly enroll machines into Intune but in an automated way without user intervention. After a few days of testing and troubleshooting please find my tips below. In the current scenario Co-Management has already been set up in MEMCM. This is in no way an exhaustive list of all the possible steps, just what worked the fastest for us.

Steps for MDM Enrolment Intune

  1. Are your Devices Azure AD Registered, Hybrid Azure AD joined or not joined at all.
  2. Are your machines automatically Azure AD Registered after AD Syncing your users? Why did this happen? By Design
https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

3. Stop devices auto Register by looking at this key(optional)

This image has an empty alt attribute; its file name is image-72.png
https://docs.microsoft.com/en-us/azure/active-directory/devices/hybrid-azuread-join-plan

4 .Add the devices that are required to be managed from Intune into the co-management group on SCCM.

https://www.anoopcnair.com/sccm-co-management-configuration-8/

5. Ensure the Windows Enrollment option is configured correctly. This is located in Azure Active Directory under “Mobility (MDM and MAM)”

6. Create a SCCM Baseline Policy that add the reg key for MDM auto enrolment and assign to collection co-management

[HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM]
"AutoEnrollMDM"=dword:00000001

Or GPO for reg key (users will have to connect to the On-Premise Environment to receive the GPO)

[HKLM\Software\Policies\Microsoft\Windows\CurrentVersion\MDM]
"AutoEnrollMDM"=dword:00000001

7. Review and configure Hybrid Azure AD join on AD Connect under Device Options

 (Any Azure AD Registered machine will become Hybrid Azure AD joined if in the scope of the configuration)

8. If devices get auto-enrolled then Success, otherwise below are some manual enrollment options:

8.1 Send deep links via email : ms-device-enrollment:?mode=mdm

8.2 Enroll via company portal : Download Company Portal from Microsoft Store

8.3 Deploy a ppkg via SCCM and Powershell :  “Install-ProvisioningPackage -PackagePath BulkEnrollIntune.ppkg -QuietInstall”

You can learn about provisioning packages here : https://docs.microsoft.com/en-us/windows/configuration/provisioning-packages/provisioning-create-package

and some more options below

9. After testing is completed, Review perhaps the creation of AD Groups that contain the devices to sync into Azure AD. By creating an On Premise security group you can also dynamically query this group to add machines as members under your co-management collection in Configuration Manager.

10. Alternate Remote Device Management options are :

Setup CMG | https://systemcenterdudes.com/how-to-configure-sccm-1806-cloud-management-gateway/
IBCM | https://systemcenterdudes.com/internet-based-client-management/
Cloud DP | https://systemcenterdudes.com/sccm-cloud-distribution-point-cloud-management-gateway/

As always I hope this has been informative and please feel free to reach out and correct me in any steps.

Authors