58 lines
3.0 KiB
PowerShell
58 lines
3.0 KiB
PowerShell
<#
|
|
.SYNOPSIS
|
|
Creates a GPO for automatic Intune device enrollment without linking it to any OU.
|
|
.DESCRIPTION
|
|
This script creates a new Group Policy Object configured for automatic Intune enrollment
|
|
but doesn't link it to any Organizational Unit by default.
|
|
.NOTES
|
|
Author : Kyle Pope + AI
|
|
Date Created : 13/04/25
|
|
Version : 1.0.0
|
|
Requires : GroupPolicy & ActiveDirectory Modules
|
|
File Name : Create-IntuneEnrollmentGPO.ps1
|
|
#>
|
|
|
|
# Import required modules
|
|
Import-Module GroupPolicy -ErrorAction Stop
|
|
Import-Module ActiveDirectory -ErrorAction Stop
|
|
|
|
# Parameters - customize these for your environment
|
|
$GpoName = "Intune_Device_Enrollment"
|
|
$IntuneEnrollmentUrl = "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc"
|
|
$MdmTermsUrl = "https://portal.manage.microsoft.com/TermsofUse.aspx"
|
|
$MdmComplianceUrl = "https://portal.manage.microsoft.com/?portalAction=Compliance"
|
|
|
|
# Create the new GPO
|
|
Write-Host "Creating GPO: $GpoName"
|
|
try {
|
|
$newGpo = New-GPO -Name $GpoName -Comment "GPO for automatic Intune device enrollment"
|
|
|
|
if (-not $newGpo) {
|
|
throw "Failed to create GPO"
|
|
}
|
|
|
|
# Configure the MDM enrollment settings
|
|
Write-Host "Configuring MDM enrollment settings..."
|
|
|
|
# Set the basic MDM enrollment settings
|
|
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM" -ValueName "AutoEnrollMDM" -Type DWord -Value 1
|
|
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM" -ValueName "UseAADCredentialType" -Type DWord -Value 1
|
|
|
|
# Set the discovery service URL
|
|
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts\{GUID}" -ValueName "DiscoveryServiceUrl" -Type String -Value $IntuneEnrollmentUrl
|
|
|
|
# Set terms and compliance URLs (optional)
|
|
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment" -ValueName "TermsUrl" -Type String -Value $MdmTermsUrl
|
|
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment" -ValueName "ComplianceUrl" -Type String -Value $MdmComplianceUrl
|
|
|
|
# Enable automatic MDM enrollment using AAD credentials
|
|
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "AADJoinAuthEndpoint" -Type String -Value "https://login.microsoftonline.com"
|
|
Set-GPRegistryValue -Name $GpoName -Key "HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System" -ValueName "AADJoinAuthEndpointSuffix" -Type String -Value "common/oauth2/authorize"
|
|
|
|
Write-Host "GPO '$GpoName' created and configured successfully for Intune device enrollment."
|
|
Write-Host "Note: This GPO has not been linked to any OU. You can manually link it later using Group Policy Management Console."
|
|
}
|
|
catch {
|
|
Write-Error "An error occurred while creating or configuring the GPO: $_"
|
|
exit 1
|
|
} |