rohskiddo/GPOAutoIntuneEnrolment
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity

Update README.md

Browse Source
This commit is contained in:
Kyle 2025-04-12 19:50:30 +00:00
parent 5eaa622efa
commit de131e6021
1 changed files with 53 additions and 0 deletions
Show Stats Download Patch File Download Diff File Expand all files Collapse all files

53
README.md
View File

@ -0,0 +1,53 @@
# GPOAutoIntuneEnrollment
This PowerShell script creates a Group Policy Object (GPO) configured for automatic Microsoft Intune device enrollment without linking it to any Organizational Unit (OU) by default. The GPO can be manually linked to target OUs as needed.
### Required Modules
RSAT Group Policy & RSAT Active Directory.<br>
Run below if modules are not installed.
```
Get-WindowsCapability -Name Rsat.GroupPolicy* -Online | Add-WindowsCapability -Online
Get-WindowsCapability -Name Rsat.ActiveDirectory* -Online | Add-WindowsCapability -Online
```
### How to use the script
1. Copy script to domain controller or domain-joined device with Group Policy Management tools installed.
2. Open in text editor, modify the variables with related Urls
```
$GpoName = "Intune_Device_Enrollment" # Name for your GPO
$IntuneEnrollmentUrl = "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc"
$MdmTermsUrl = "https://portal.manage.microsoft.com/TermsofUse.aspx"
$MdmComplianceUrl = "https://portal.manage.microsoft.com/?portalAction=Compliance"
```
3. Run in PowerShell as Administrator
4. Link GPO to target OUs
### What the Script Configures
|Path |Value |Type |Data | Purpose |
|:---------|:--------|:-------|:------:|:-----------|
|HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM|AutoEnrollMDM|DWORD|1|Enables automatic MDM enrollment|
|HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM|UseAADCredentialType|DWORD|1|Uses Azure AD credentials|
|HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\{GUID}|DiscoveryServiceUrl|String|Enrollment URL|Intune discovery endpoint|
|HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment|TermsUrl|String|Terms URL|MDM terms of use|
|HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment|ComplianceUrl|String|Compliance URL|MDM compliance portal|
|HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System|AADJoinAuthEndpoint|String|Login URL|Azure AD authentication|
### Verification Steps
1. On a test device in target OU, run: 'gpupdate /force'
2. On a test device in target OU, run: 'dsregcmd /status'
3. Check enrollment status in intune: Intune Portal > Devices > All Devices
### Troubleshooting Steps
1. Verify GPO Applicaton with: 'gpresult /r' or 'gpresult /h gpreport.html'
2. Check registry settings on test device, all configured keys should be present
3. Verify network connectivity to Intune endpoints
4. Check Azure AD device registration settings
5. check Azure AD Connet synchronization status
6. check network connectivity to:
```
https://enrollment.manage.microsoft.com
https://login.microsoftonline.com
```