rohskiddo/GPOAutoIntuneEnrolment
1
0
Fork 0
Code Issues Pull Requests Actions Packages Projects Releases Wiki Activity
GPOAutoIntuneEnrolment/README.md
Kyle de131e6021 Update README.md
2025-04-12 19:50:30 +00:00

2.6 KiB
Raw Permalink Blame History

GPOAutoIntuneEnrollment

This PowerShell script creates a Group Policy Object (GPO) configured for automatic Microsoft Intune device enrollment without linking it to any Organizational Unit (OU) by default. The GPO can be manually linked to target OUs as needed.

Required Modules

RSAT Group Policy & RSAT Active Directory.
Run below if modules are not installed.

    Get-WindowsCapability -Name Rsat.GroupPolicy* -Online | Add-WindowsCapability -Online
    Get-WindowsCapability -Name Rsat.ActiveDirectory* -Online | Add-WindowsCapability -Online

How to use the script

  1. Copy script to domain controller or domain-joined device with Group Policy Management tools installed.
  2. Open in text editor, modify the variables with related Urls
    $GpoName = "Intune_Device_Enrollment"  # Name for your GPO
    $IntuneEnrollmentUrl = "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc"
    $MdmTermsUrl = "https://portal.manage.microsoft.com/TermsofUse.aspx"
    $MdmComplianceUrl = "https://portal.manage.microsoft.com/?portalAction=Compliance"
  1. Run in PowerShell as Administrator
  2. Link GPO to target OUs

What the Script Configures

Path Value Type Data Purpose
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM AutoEnrollMDM DWORD 1 Enables automatic MDM enrollment
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM UseAADCredentialType DWORD 1 Uses Azure AD credentials
HKLM\SOFTWARE\Microsoft\Provisioning\OMADM\Accounts{GUID} DiscoveryServiceUrl String Enrollment URL Intune discovery endpoint
HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment TermsUrl String Terms URL MDM terms of use
HKLM\SOFTWARE\Microsoft\PolicyManager\current\device\DeviceEnrollment ComplianceUrl String Compliance URL MDM compliance portal
HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System AADJoinAuthEndpoint String Login URL Azure AD authentication

Verification Steps

  1. On a test device in target OU, run: 'gpupdate /force'
  2. On a test device in target OU, run: 'dsregcmd /status'
  3. Check enrollment status in intune: Intune Portal > Devices > All Devices

Troubleshooting Steps

  1. Verify GPO Applicaton with: 'gpresult /r' or 'gpresult /h gpreport.html'
  2. Check registry settings on test device, all configured keys should be present
  3. Verify network connectivity to Intune endpoints
  4. Check Azure AD device registration settings
  5. check Azure AD Connet synchronization status
  6. check network connectivity to:
    https://enrollment.manage.microsoft.com
    https://login.microsoftonline.com