- Joins a device to Intune that has already been joined to Azure AD.
- Ensure device user has a Microsoft license that includes Intune.
- Ensure device user is a member of a security group enabled for automatic MDM enrollment (added to the MDM user scope).
- See article: Set up automatic enrollment for Windows devices.
- Ensure device is joined to Azure AD.
- Push the Join-Intune script to the device and run it.
- After running the script, have the device online and awake with the user signed in, and allow a few hours for the enrollment to take effect (in the case that the initial enrollment attempt does not succeed).
- See this article: Troubleshooting Windows 10 Group Policy-based auto-enrollment in Intune.
The script works by replicating the effects of enabling the group policy called "Enable automatic MDM enrollment using default Azure AD credentials".
- Policy can be found in Administrative Templates\Windows Components\MDM.
- Creates a registry entry at Computer\HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
- Name: AutoEnrollMDM
- Value: 1
- Creates a scheduled task titled "Schedule created by enrollment client for automatically enrolling in MDM from Azure Active Directory".
- Task can be found at the root level of task scheduler when created by the script. If created by group policy, it will be found in Microsoft\Windows\EnterpriseMgmt.
- It also starts an enrollment attempt before the scheduled task is run, but this only works when the script is ran in the system context (i.e with Absolute, an RMM, or PSEXEC).