<#
.SYNOPSIS
    Creates a GPO for automatic Intune device enrollment without linking it to any OU.
.DESCRIPTION
    This script creates a new Group Policy Object configured for automatic Intune enrollment
    but doesn't link it to any Organizational Unit by default.
.NOTES
    Author          : Kyle Pope + AI
    Date Created    : 13/04/25
    Version         : 1.0.0
    Requires        : GroupPolicy & ActiveDirectory Modules
    File Name       : Create-IntuneEnrollmentGPO.ps1
#>

# Import required modules
Import-Module GroupPolicy -ErrorAction Stop
Import-Module ActiveDirectory -ErrorAction Stop

# Parameters - customize these for your environment
$GpoName = "Intune_Device_Enrollment"
$IntuneEnrollmentUrl = "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc"
$MdmTermsUrl = "https://portal.manage.microsoft.com/TermsofUse.aspx"
$MdmComplianceUrl = "https://portal.manage.microsoft.com/?portalAction=Compliance"

# Create the new GPO
Write-Host "Creating GPO: $GpoName"
try {
    $newGpo = New-GPO -Name $GpoName -Comment "GPO for automatic Intune device enrollment"
    
    if (-not $newGpo) {
        throw "Failed to create GPO"
    }

    # Configure the MDM enrollment settings
    Write-Host "Configuring MDM enrollment settings..."

    # Set the basic MDM enrollment settings
    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM" -ValueName "AutoEnrollMDM" -Type DWord -Value 1
    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM" -ValueName "UseAADCredentialType" -Type DWord -Value 1

    # Set the discovery service URL
    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\{GUID}" -ValueName "DiscoveryServiceUrl" -Type String -Value $IntuneEnrollmentUrl

    # Set terms and compliance URLs (optional)
    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment" -ValueName "TermsUrl" -Type String -Value $MdmTermsUrl
    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment" -ValueName "ComplianceUrl" -Type String -Value $MdmComplianceUrl

    # Enable automatic MDM enrollment using AAD credentials
    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "AADJoinAuthEndpoint" -Type String -Value "https://login.microsoftonline.com"
    Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "AADJoinAuthEndpointSuffix" -Type String -Value "common/oauth2/authorize"

    Write-Host "GPO '$GpoName' created and configured successfully for Intune device enrollment."
    Write-Host "Note: This GPO has not been linked to any OU. You can manually link it later using Group Policy Management Console."
}
catch {
    Write-Error "An error occurred while creating or configuring the GPO: $_"
    exit 1
}