As most of our devices around the business have already been deployed and configured without Intune, we need to enrol this into Intune another way. REF - https://learn.microsoft.com/en-us/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy
There is a GPO on the Domain Controller which will enable automatic enrolment into Entra AD as long as the machine is Entra Hybrid Joined which pretty most of our machines already are due to Entra Connect.
This does mean that the machine will briefly need to see the domain controller in order to get this GPO.
- Remote on PC
- Connect to VPN
- Open CMD as admin
- Run gpupdate/force . This may be stuck on "updating policy" for a while but this is fine to ignore as long as you check the enrollment tasks/signs below. Also you may get an error when running gpupdate for the first time in awhile so just run it again and it should run.
- Disconnect from VPN/CMD
- Also check "Internet Options > Lan Settings > Tick "Automatically detect settings".
- Check 2FA is working on device, e.g. Verify account is not appearing like below
- Check if device has appeared on Intune. Important to note this can take anywhere from a few hours to 48 hours even.
Windows 11?
Also be sure to check if you can update to Windows 11? If not compatible then mark it on the sheet and we will need to upgrade it before EOL 2025
Windows 11 Health Check - https://aka.ms/GetPCHealthCheckApp
Windows 11 Download - https://go.microsoft.com/fwlink/?linkid=2171764
*Also tip before using the Windows 11 Download tool, check the uptime of the PC before running as I've found it to perform better on a fresh reboot rather than it being online for 7+days etc.
Check Enrolment
Open Windows settings > Accounts and see if the JCA Engineering and "info" button has appeared.
Win 11
Win 10
Another way to check the GPO has applied, you can check via LMI that the Enrolment task has been made. This will keep running until a successful enrolment has happened.
Look for any of these tasks
Once this has been checked, if you load the Intune Portal and change the filter to "Enrollment Date". You should hopefully start seeing the devices appear.
Add Device group to deploy Intune Policies
So now that your device has appeared in Devices in the Intune Portal, you can now assign this machine to the group called "Intune_Existing Devices".
Simply add the device into this group and then it will begin assigning the CIS policies, Defender etc.
Once we are 100% ready to go then we can bulk add all the devices by using a dynamic query rather than one by one.
Sometimes there may be multiple devices appearing as below:
In this case, you need to wait until the device appears in Windows devices and managed by intune. Once it appears, click on the devices name and then check the Entra Device ID and see if the id's match to ensure the correct one is added.
Removing from Panda
Once the device has been added to Intune and showing up as 'Managed by Intune' as well as in Defender, you can remove the licence in Panda and force delete the software.
Do do this, sign into Adaptive Defence 360 and then click 'Computers', from there search for the device you just added to intune, click on the device and remove the Panda licence.
After the licence is removed, on the top right click 'bin' icon,
You will then be presented with the following:
Check the box where it says 'Uninstall the Panda agent from this computer' and then click Delete.
This should remove Panda agent from the machine, to ensure Microsoft Defender is the primary AV in place.
Policy Sets
I have made a Policy Set in Intune containing all the CIS policies from Mitie to apply to our existing devices.
CIS Level 1 (Existing Devices) - Polices used for our existing devices around the company which we can't reset. (Group used for this sort of enrolment)
CIS Level 1 - Policies used for AutoPilot (Ignore in this guide as this is used for Autopilot - https://support.jca.co.uk/a/solutions/articles/14000051472)
These are separated out to avoid issues and to make testing easier. This helped as we found a few policies didn't agree with our machines such as RDP breaking, Security logs getting full.
It also avoids any duplicates of GPOs from the DC clashing with Intune configs e.g. Local Admin accounts, Chrome shortcuts etc.