Adding existing devices to Intune : IT Support

As most of our devices around the business have already been deployed and configured without Intune, we need to enrol this into Intune another way. REF - https://learn.microsoft.com/en-us/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy

There is a GPO on the Domain Controller which will enable automatic enrolment into Entra AD as long as the machine is Entra Hybrid Joined which pretty most of our machines already are due to Entra Connect.

This does mean that the machine will briefly need to see the domain controller in order to get this GPO.

So we will need to manually check that all devices have been added, if not then we will need to connect to the machine, then the VPN and run a gpupdate /force. Then Restart the PC and then the user can log back in again which should initiate the MDM enrolment. Important to note this can take anywhere from a few hours to 48 hours even.

To check the GPO has applied, you can check via LMI that the Enrolment task has been made. This will keep running until a successful enrolment has happened

I have set the MDM Enrolment to all users to make it easier to enrol, so as long as the user has the correct E3 Licence with Intune then this will work.

Example below showing machines now enrolled via MDM Intune

Machine will also show under "Devices Tab".

Policy Sets

I have made a Policy Set in Intune containing all the CIS policies from Mitie to apply to our existing devices.

CIS Level 1 (Existing Devices) - Polices used for our existing devices around the company which we can't reset. (Group used for this sort of enrolment)

~~CIS Level 1 - Policies used for AutoPilot (Ignore in this guide as this is used for Autopilot -~~ ~~https://support.jca.co.uk/a/solutions/articles/14000051472~~)

These are separated out to avoid issues and to make testing easier. This helped as we found a few policies didn't agree with our machines such as RDP breaking, Security logs getting full.

It also avoids any duplicates of GPOs from the DC clashing with Intune configs e.g. Local Admin accounts, Chrome shortcuts etc.

Add Device group to deploy Intune Policies

So now that your device has appeared in Devices in the Intune Portal, you can now assign this machine to the group called "Intune_Existing Devices".

Simply add the device into this group and then it will begin assigning the CIS policies.

Once we are 100% ready to go then we can bulk add all the devices by using a dynamic query rather than one by one.

IT Support

Adding existing devices to Intune

Modified on: Thu, 7 Nov, 2024 15:18

Related Articles