Hello,
Currently:
Non-domain joined devices running local accounts without Autopilot
Devices are "AzureAD-Registered"
Desired end-state (in such an automated fashion as possible):
Join AAD (done through a provisioning package; https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll)
Automatically enroll into Intune during the join (done through automatic enrollment through AAD Premium; https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enroll)
Automatically get an Autopilot profile (I believe this is done through an autopilot deployment profile and toggling "Convert all targeted devices to Autopilot" while scoping it to dynamic group in AAD containing the user who is associated with the device and if the device is a "corporate"-device)
Issue:
So I am trying to figure out the most expedient way to enroll our current devices into Intune and join them to AAD.
The devices are already "AAD-Registered" and they do NOT have an Autopilot-profile assigned to them.
I've created a provisioning package with a bulk token as described here;
https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-bulk-enroll
which introduces the caveat that we need to hardcode a wifi-connection / SSID which in these pandemic times can be hard since users won't be at the office and are using their own network at home.
Not specifying any wireless network and to use a wired connection instead is not an option since the majority of users don't have an ethernet-adapter with their laptop and I can't assume that they have a network cable.
Well I thought about simply instructing them to setup their phone as a hotspot and therefore be able to hardcode a SSID / WPA2-PSK in the ppkg.
I tested joining my test-laptop with the ppkg and it works fine, my user is in the scoped group in Intune and gets enrolled into Intune during the AAD-Join.
However when checking the user in AAD I can see that the device is still listed as:
AzureAD-Registered (however using Intune as the MDM)
I also found a new user in AAD;
"package_<GUID>"
That user has my test-laptop listed as a device but as "AzureAD-Joined" and it is also this user which the device belongs to in Intune.
In Intune the device is lacking a "primary UPN" / "primary user" and is "enrolled by: <blank>".
Sure I get that since its not the actual user who have joined AAD but the provisioning package the device is then left unassociated with a primary user in Intune / AAD and while the local user account exist which still is "AzureAD-Registered";
MyTestUser
MyTestDevice <-- AAD-Registered (Managed by Intune)
package_<GUID> <-- Provisioning package which joined the device to AAD
MyTestDevice <-- AAD-Joined (Managed by Intune)
So is there any way I can make the device to be associated with the "actual user" who signs in to the device automatically without assigning the user manually through the Endpoint Manager console?
I guess I can script this from an admin-perspective:
https://svdbusse.github.io/SemiAnnualChat/2020/03/21/Changing-Intune-Primary-User-To-Last-Logged-On-User.html
but was just thinking if my "process" was correct or if I should change something i.e.;
That the user "disconnects" so their device is no longer "AAD-Registered" and then runs the provisioning package; however I don't see how this would inform AAD about which user the device belongs to but it would eliminate the duplicate "AAD-Registered"-device unless when I manually assign "MyTestUser" to the device in Intune the "AAD-Registered" and "AAD-Joined" device objects merge into the "AAD-Joined"-device?
^ This can't be scripted however and need to be performed manually by the user and I want to automate this as much as possible
Would appreciate your feedback regarding this
