Created README.md and script file, populated script file

2025-04-13 03:21:53 +08:00 · 2025-04-13 03:21:53 +08:00 · 5eaa622efa
commit 5eaa622efa
2 changed files with 58 additions and 0 deletions
--- a/Create-IntuneEnrollmentGPO.ps1
+++ b/Create-IntuneEnrollmentGPO.ps1
@ -0,0 +1,58 @@
+<#
+.SYNOPSIS
+    Creates a GPO for automatic Intune device enrollment without linking it to any OU.
+.DESCRIPTION
+    This script creates a new Group Policy Object configured for automatic Intune enrollment
+    but doesn't link it to any Organizational Unit by default.
+.NOTES
+    Author          : Kyle Pope + AI
+    Date Created    : 13/04/25
+    Version         : 1.0.0
+    Requires        : GroupPolicy & ActiveDirectory Modules
+    File Name       : Create-IntuneEnrollmentGPO.ps1
+#>
+
+# Import required modules
+Import-Module GroupPolicy -ErrorAction Stop
+Import-Module ActiveDirectory -ErrorAction Stop
+
+# Parameters - customize these for your environment
+$GpoName = "Intune_Device_Enrollment"
+$IntuneEnrollmentUrl = "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc"
+$MdmTermsUrl = "https://portal.manage.microsoft.com/TermsofUse.aspx"
+$MdmComplianceUrl = "https://portal.manage.microsoft.com/?portalAction=Compliance"
+
+# Create the new GPO
+Write-Host "Creating GPO: $GpoName"
+try {
+    $newGpo = New-GPO -Name $GpoName -Comment "GPO for automatic Intune device enrollment"
+    
+    if (-not $newGpo) {
+        throw "Failed to create GPO"
+    }
+
+    # Configure the MDM enrollment settings
+    Write-Host "Configuring MDM enrollment settings..."
+
+    # Set the basic MDM enrollment settings
+    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM" -ValueName "AutoEnrollMDM" -Type DWord -Value 1
+    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM" -ValueName "UseAADCredentialType" -Type DWord -Value 1
+
+    # Set the discovery service URL
+    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\{GUID}" -ValueName "DiscoveryServiceUrl" -Type String -Value $IntuneEnrollmentUrl
+
+    # Set terms and compliance URLs (optional)
+    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment" -ValueName "TermsUrl" -Type String -Value $MdmTermsUrl
+    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment" -ValueName "ComplianceUrl" -Type String -Value $MdmComplianceUrl
+
+    # Enable automatic MDM enrollment using AAD credentials
+    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "AADJoinAuthEndpoint" -Type String -Value "https://login.microsoftonline.com"
+    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "AADJoinAuthEndpointSuffix" -Type String -Value "common/oauth2/authorize"
+
+    Write-Host "GPO '$GpoName' created and configured successfully for Intune device enrollment."
+    Write-Host "Note: This GPO has not been linked to any OU. You can manually link it later using Group Policy Management Console."
+}
+catch {
+    Write-Error "An error occurred while creating or configuring the GPO: $_"
+    exit 1
+}
--- a/README.md
+++ b/README.md