commit 5eaa622efabad5692a2d9aaab0c4b72d4b724d3a Author: Kyle Date: Sun Apr 13 03:21:53 2025 +0800 Created README.md and script file, populated script file diff --git a/Create-IntuneEnrollmentGPO.ps1 b/Create-IntuneEnrollmentGPO.ps1 new file mode 100644 index 0000000..ddb8011 --- /dev/null +++ b/Create-IntuneEnrollmentGPO.ps1 @@ -0,0 +1,58 @@ +<# +.SYNOPSIS + Creates a GPO for automatic Intune device enrollment without linking it to any OU. +.DESCRIPTION + This script creates a new Group Policy Object configured for automatic Intune enrollment + but doesn't link it to any Organizational Unit by default. +.NOTES + Author : Kyle Pope + AI + Date Created : 13/04/25 + Version : 1.0.0 + Requires : GroupPolicy & ActiveDirectory Modules + File Name : Create-IntuneEnrollmentGPO.ps1 +#> + +# Import required modules +Import-Module GroupPolicy -ErrorAction Stop +Import-Module ActiveDirectory -ErrorAction Stop + +# Parameters - customize these for your environment +$GpoName = "Intune_Device_Enrollment" +$IntuneEnrollmentUrl = "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc" +$MdmTermsUrl = "https://portal.manage.microsoft.com/TermsofUse.aspx" +$MdmComplianceUrl = "https://portal.manage.microsoft.com/?portalAction=Compliance" + +# Create the new GPO +Write-Host "Creating GPO: $GpoName" +try { + $newGpo = New-GPO -Name $GpoName -Comment "GPO for automatic Intune device enrollment" + + if (-not $newGpo) { + throw "Failed to create GPO" + } + + # Configure the MDM enrollment settings + Write-Host "Configuring MDM enrollment settings..." + + # Set the basic MDM enrollment settings + Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM" -ValueName "AutoEnrollMDM" -Type DWord -Value 1 + Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM" -ValueName "UseAADCredentialType" -Type DWord -Value 1 + + # Set the discovery service URL + Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\{GUID}" -ValueName "DiscoveryServiceUrl" -Type String -Value $IntuneEnrollmentUrl + + # Set terms and compliance URLs (optional) + Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment" -ValueName "TermsUrl" -Type String -Value $MdmTermsUrl + Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment" -ValueName "ComplianceUrl" -Type String -Value $MdmComplianceUrl + + # Enable automatic MDM enrollment using AAD credentials + Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "AADJoinAuthEndpoint" -Type String -Value "https://login.microsoftonline.com" + Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "AADJoinAuthEndpointSuffix" -Type String -Value "common/oauth2/authorize" + + Write-Host "GPO '$GpoName' created and configured successfully for Intune device enrollment." + Write-Host "Note: This GPO has not been linked to any OU. You can manually link it later using Group Policy Management Console." +} +catch { + Write-Error "An error occurred while creating or configuring the GPO: $_" + exit 1 +} \ No newline at end of file diff --git a/README.md b/README.md new file mode 100644 index 0000000..e69de29