Bulk enrolling devices that are already joined to Azure AD

Question

My company needs a bulk Intune enrollment method for close to 1000 devices in the following environment:

• Windows 11
• Already joined to Azure AD
• No on-prem AD

We need a way to enroll these devices with minimal user or IT interaction. We do have an agent installed on each device which will allow us to push a script to them, so I was hoping a Powershell script could do the trick.

I've been scouring the internet and the documentation on Intune enrollment methods, but bulk enrollment methods for our scenario don't seem well supported or documented. Why is this? The only method I can find is to manually go into the GUI on each PC at Access Work or School > Enroll only in device management. This would be a massive endeavor to do on each computer manually.

I encountered a couple blogs that claimed to have the solution:

• https://call4cloud.nl/2020/05/intune-auto-mdm-enrollment-for-devices-already-azure-ad-joined/
• https://timmyit.com/2018/12/17/mdm-join-an-already-azure-ad-joined-windows-10-pcs-to-intune-with-a-provisioning-package/

These blogs provide a script that replicates the effects of the group policy enrollment method. Enabling the group policy to join to MDM does two things which these scripts also do:

• Creates a registry entry at HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM\AutoEnrollMDM = 1
• Creates a scheduled task called "Schedule created by enrollment client for automatically enrolling in MDM from AAD". This is located under Microsoft > Windows > EnterpriseMgmt.

So here is what I tried:

1. Grabbed a couple test computers.
2. Made sure the computers are a part of security groups that are configured for auto mdm enrollment. (Azure AD > Mobility (MDM and MAM) > Microsoft Intune > Add device group to the MDM user scope)
3. On one I tried manually enabling the group policy. On the other I ran the script. I get the same results from both.

Results:

The registry entries and scheduled task were created successfully. The devices were left online and active (not asleep) for hours, maybe 8-10 hours so far. In the event viewer, every 5 minutes when the scheduled task is run, I get the following logs:

Event ID: 76

Description: Auto MDM Enroll: Device Credential (0x0), Failed (Mobile Device Management (MDM) is not configured.)

HRESULT: 0x80180031

Event ID: 90

Description: Auto MDM Enroll Get AAD Token: Device Credential (0x0), Resource Url (NULL), Resource Url 2 (NULL), Status (Mobile Device Management (MDM) is not configured.)

HRESULT: 0x80180031

When I look up these logs I don't find any help online. Will this enrollment method only work if my devices are hybrid joined to Azure AD and on-prem AD?

I appreciate the help of anyone who manages to read this and has any experience with it.

Answer 1

@Zakary Ames, Thanks for posting in Q&A.

From your description, I notice you have added device group into "MDM user scope". In fact, it needs to add the user group. Please add the user group to see if it works.

Made sure the computers are a part of security groups that are configured for auto mdm enrollment. (Azure AD > Mobility (MDM and MAM) > Microsoft Intune > Add device group to the MDM user scope)

Meanwhile, please also confirm the enrolled user has both Microsoft Intune and Azure AD Premium license assigned.

Hope it can help.

---

If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".

Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.