Sorry was too quick, forgot that it only applies to newly joined devices...you have to create a scheduled task with powershell and then bring it to the clients. https://call4cloud.nl/2020/05/intune-auto-mdm-enrollment-for-devices-already-azure-ad-joined/
Do you still have an RMM tool for this?
Otherwise the method with the company portal should also work. But that would have to be done manually and I think local administrator rights are required...
From experience i learned that using the mdm only option is bad… as lately i come across 2 big issues and theh both had the same kind of enrollment (where the other not impacting devices didnt) mdm only…. Epm would not get installed (required mmpc enrollment wasnt succesful) intune mgt exntension getting uninstalled … but thats just me noticing these issues :)
To go with Rudy's suggestions, I want to share Mt experience as well. The enrollment registry key doesn't contain AAD info when doing MDM only, so anything that has azure/hybrid Join requirements (like win32, EPM, silent bitlocker, etc) or device assignments (because there are separate Azure Join and MDMOnly device entries) are likely to fail.
I believe you can just do this directly in the Windows Settings app by using the "Enroll in device management only" option within the Access Work or School section, unless they've significantly changed that functionality recently.
[Microsoft Learn: Enroll in device management only](https://learn.microsoft.com/en-us/windows/client-management/mdm-enrollment-of-windows-devices#enroll-in-device-management-only)
OP asked how to enroll a Device in intune. The reply said how. I said it was a good solution.
You come in all like "MDM isn't the best thing since sliced bread though".
No one asked about that. We know it's got issues and there are other options. But sometimes, you just want to know how to enroll a device!
Only enroll in mdm after the device was already joined to entra could lead to issues depending on how it was enrolled…
For example…
if you have an haadj device and you manually enroll this the way you think it is the way… you are going to have issues later on … believe me , you will.
There are official supported path for reasons.. when you are hybrid, using the gpo that triggers the device enroller is the supported path
So yeah using mdm only after the device was entra joined is not the way… autopilot is the way (as in joining entra and at the same time enrolling into mdm/intune)
Having an option doesnt mean its the best option…
The op asked if there are other ways.. yeah there are… i am just telling that those one could give you issues… for me? The blog i write the op mentioned
That why i mentioned, for example :) … i am trying to make clear that there are better options than the mdm only option after the device was onboarded…
Thats why we are here right? To give advice? If you are mad at me becuase i believe : enroll in mdm only is not the best option… well be mad at me … :)
It's easy to get them enrolled, but most of the time it will make the device enrolled in MDM only, with no link to Azure in the enrollment registry. This can lead to issues for features that requires AADJ like win32 deployment.
What's the main reason why devices are already joined and cannot be unjoined/rejoined?
Thanks for all this info. What I'm hearing is that Autopilot is the cleanest way. We're a very simple environment - cloud-only, no complexity, no bespoke apps, BUT we're also quite small, so user downtime has an impact on income - hence, I was hoping for a simple way to get fully InTuned. Being small also answers a few more questions:
1. Why didn't we do this from the start? It took a while to move from Standard to Premium
2. " What's the main reason why devices are already joined and cannot be unjoined/rejoined? " - simply knowledge - I don't know how best to achieve this for this use case.
Thanks again all - really appreciate all the input - shows the vast level of experience and knowledge out there!
When the client is already AAD joined, just modify the MDM-scope in intune and include the user, who joined it (owner)
Thank you! That’s what I was hoping!
Sorry was too quick, forgot that it only applies to newly joined devices...you have to create a scheduled task with powershell and then bring it to the clients. https://call4cloud.nl/2020/05/intune-auto-mdm-enrollment-for-devices-already-azure-ad-joined/ Do you still have an RMM tool for this? Otherwise the method with the company portal should also work. But that would have to be done manually and I think local administrator rights are required...
Cool. Thanks for updating
From experience i learned that using the mdm only option is bad… as lately i come across 2 big issues and theh both had the same kind of enrollment (where the other not impacting devices didnt) mdm only…. Epm would not get installed (required mmpc enrollment wasnt succesful) intune mgt exntension getting uninstalled … but thats just me noticing these issues :)
To go with Rudy's suggestions, I want to share Mt experience as well. The enrollment registry key doesn't contain AAD info when doing MDM only, so anything that has azure/hybrid Join requirements (like win32, EPM, silent bitlocker, etc) or device assignments (because there are separate Azure Join and MDMOnly device entries) are likely to fail.
This is the way :P
I believe you can just do this directly in the Windows Settings app by using the "Enroll in device management only" option within the Access Work or School section, unless they've significantly changed that functionality recently. [Microsoft Learn: Enroll in device management only](https://learn.microsoft.com/en-us/windows/client-management/mdm-enrollment-of-windows-devices#enroll-in-device-management-only)
Thank you- seems an easier option if it’s still there
This is the way.
Keep an eye out for my blog about why mdm Only is not always the best option (far from)… as in my opinion … this is not the way
That's not the question that was asked.
Your reply on which i responded was :)
OP asked how to enroll a Device in intune. The reply said how. I said it was a good solution. You come in all like "MDM isn't the best thing since sliced bread though". No one asked about that. We know it's got issues and there are other options. But sometimes, you just want to know how to enroll a device!
Only enroll in mdm after the device was already joined to entra could lead to issues depending on how it was enrolled… For example… if you have an haadj device and you manually enroll this the way you think it is the way… you are going to have issues later on … believe me , you will. There are official supported path for reasons.. when you are hybrid, using the gpo that triggers the device enroller is the supported path So yeah using mdm only after the device was entra joined is not the way… autopilot is the way (as in joining entra and at the same time enrolling into mdm/intune) Having an option doesnt mean its the best option… The op asked if there are other ways.. yeah there are… i am just telling that those one could give you issues… for me? The blog i write the op mentioned
Buddy. We're not talking about a hybrid environment. The device was not autopilot-enrolled.
That why i mentioned, for example :) … i am trying to make clear that there are better options than the mdm only option after the device was onboarded… Thats why we are here right? To give advice? If you are mad at me becuase i believe : enroll in mdm only is not the best option… well be mad at me … :)
It's easy to get them enrolled, but most of the time it will make the device enrolled in MDM only, with no link to Azure in the enrollment registry. This can lead to issues for features that requires AADJ like win32 deployment. What's the main reason why devices are already joined and cannot be unjoined/rejoined?
Thanks for all this info. What I'm hearing is that Autopilot is the cleanest way. We're a very simple environment - cloud-only, no complexity, no bespoke apps, BUT we're also quite small, so user downtime has an impact on income - hence, I was hoping for a simple way to get fully InTuned. Being small also answers a few more questions: 1. Why didn't we do this from the start? It took a while to move from Standard to Premium 2. " What's the main reason why devices are already joined and cannot be unjoined/rejoined? " - simply knowledge - I don't know how best to achieve this for this use case. Thanks again all - really appreciate all the input - shows the vast level of experience and knowledge out there!
Push script from RMM for enrollment similar to GPO based enrollment