rohskiddo/GPOAutoIntuneEnrolment
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
3 Commits 1 Branch 0 Tags
Go to file
Clone
Open with VS Code Open with VSCodium Open with Intellij IDEA
Download ZIP Download TAR.GZ Download BUNDLE
Kyle f73783e201 LICENSE
2025-04-15 07:55:41 +00:00
Create-IntuneEnrollmentGPO.ps1
Created README.md and script file, populated script file
2025-04-13 03:21:53 +08:00
LICENSE
LICENSE
2025-04-15 07:55:41 +00:00
README.md
Update README.md
2025-04-12 19:50:30 +00:00

README.md

GPOAutoIntuneEnrollment

This PowerShell script creates a Group Policy Object (GPO) configured for automatic Microsoft Intune device enrollment without linking it to any Organizational Unit (OU) by default. The GPO can be manually linked to target OUs as needed.

Required Modules

RSAT Group Policy & RSAT Active Directory.
Run below if modules are not installed.

    Get-WindowsCapability -Name Rsat.GroupPolicy* -Online | Add-WindowsCapability -Online
    Get-WindowsCapability -Name Rsat.ActiveDirectory* -Online | Add-WindowsCapability -Online

How to use the script

  1. Copy script to domain controller or domain-joined device with Group Policy Management tools installed.
  2. Open in text editor, modify the variables with related Urls
    $GpoName = "Intune_Device_Enrollment"  # Name for your GPO
    $IntuneEnrollmentUrl = "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc"
    $MdmTermsUrl = "https://portal.manage.microsoft.com/TermsofUse.aspx"
    $MdmComplianceUrl = "https://portal.manage.microsoft.com/?portalAction=Compliance"
  1. Run in PowerShell as Administrator
  2. Link GPO to target OUs

What the Script Configures

Path Value Type Data Purpose
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM AutoEnrollMDM DWORD 1 Enables automatic MDM enrollment
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM UseAADCredentialType DWORD 1 Uses Azure AD credentials
HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts{GUID} DiscoveryServiceUrl String Enrollment URL Intune discovery endpoint
HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment TermsUrl String Terms URL MDM terms of use
HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment ComplianceUrl String Compliance URL MDM compliance portal
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System AADJoinAuthEndpoint String Login URL Azure AD authentication

Verification Steps

  1. On a test device in target OU, run: 'gpupdate /force'
  2. On a test device in target OU, run: 'dsregcmd /status'
  3. Check enrollment status in intune: Intune Portal > Devices > All Devices

Troubleshooting Steps

  1. Verify GPO Applicaton with: 'gpresult /r' or 'gpresult /h gpreport.html'
  2. Check registry settings on test device, all configured keys should be present
  3. Verify network connectivity to Intune endpoints
  4. Check Azure AD device registration settings
  5. check Azure AD Connet synchronization status
  6. check network connectivity to:
    https://enrollment.manage.microsoft.com
    https://login.microsoftonline.com
Description
This script creates a group policy object which can be assigned to an OU that will automatically enroll devices into intune.
Readme MIT 27 KiB
Languages
PowerShell 100%