Uncategorized – Scripts, Notes and More

In this blog post, we’ll break down the PowerShell script provided, which is used to add a device to Microsoft Intune, a cloud-based service that manages mobile devices and computers. This script automates the process of configuring local machine registry settings and creating a scheduled task to facilitate device enrollment in Intune. Let’s go through the script step by step and understand its functionality.

Script Logic Overview

The script aims to achieve the following main objectives:

Configure necessary registry settings for device enrollment.
Create a scheduled task that triggers the device enrollment process.

Registry Settings Configuration

The script starts by defining various registry paths using variables. These paths represent the location where the required registry keys will be set. The keys are located under HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM.

Registry Path Verification and Creation

The script then checks whether the specified registry paths exist and creates them if they don’t. If the paths do not exist, the script uses New-Item to create the necessary registry keys.

Setting Registry Properties

The script proceeds to set registry properties related to device enrollment. Specifically, it focuses on properties under the MDM key.

AutoEnrollMDM: This property is set to DWORD value 1, enabling automatic enrollment in Intune.
UseAADCredentialType: This property is set to DWORD value 1, indicating that Azure Active Directory (AAD) credentials will be used for enrollment.
MDMApplicationId: This property is set to an empty string, but later in the script, it is checked and updated if needed.

Scheduled Task Creation

The script configures a scheduled task that will execute the Intune enrollment process. Here’s how it’s done:

New-ScheduledTaskPrincipal: This cmdlet defines the principal under which the task will run. In this case, it specifies that the task will run under the NT AUTHORITY\SYSTEM account.
New-ScheduledTaskSettingsSet: This cmdlet defines various settings for the scheduled task, such as running only if network is available, not stopping when idle, and specifying a time limit for execution.
New-ScheduledTaskAction: This cmdlet defines the action that the scheduled task will perform. It specifies the executable (deviceenroller.exe) to run with the argument /c /AutoEnrollMDM, which likely triggers the device enrollment process.
New-ScheduledTaskTrigger: This cmdlet defines when the task will be triggered. In this script, the task is scheduled to run once, 5 minutes from the current time.

Modifying the Scheduled Task

The script then registers the scheduled task, retrieves the task, and modifies some of its properties:

The start and end boundaries of the trigger are adjusted to allow for a specific execution window.
The task’s setting to delete expired tasks after 0 seconds is configured to ensure that expired tasks are deleted immediately.
Finally, the modified task is saved using Set-ScheduledTask.

Error Handling

The script includes a try-catch block to handle exceptions. If an exception occurs, the script logs the error, exits gracefully, and returns an appropriate return code.

Conclusion

In summary, this PowerShell script automates the configuration of registry settings and creation of a scheduled task to facilitate device enrollment in Microsoft Intune. By running this script on target devices, administrators can ensure that devices are automatically enrolled in Intune and managed according to organization policies. It’s important to test the script thoroughly in a controlled environment before deploying it to production devices.

# Main Script Logic
try {

#### Local Machine Reg Section ####
#Reg Paths LM
$RegPoliciesLM = "HKLM:\SOFTWARE\Policies"
$RegMSLM = "$RegPoliciesLM\Microsoft"
$RegWINLM = "$RegMSLM\Windows"
$RegCVLM = "$RegWINLM\CurrentVersion"
$RegMDMLM = "$RegCVLM\MDM"


#Test Reg Locations and create if needed LM
$TestPoliciesLM = Test-Path $RegPoliciesLM
If ($TestPoliciesLM -eq $False){New-Item -Path "HKLM:\SOFTWARE" -Name "Policies" -Force}
$MSTestLM = Test-Path $RegMSLM
If ($MSTestLM -eq $False){New-Item -Path "$RegPoliciesLM" -Name "Microsoft" -Force}
$WINTestLM = Test-Path $RegWINLM
If ($WINTestLM -eq $False){New-Item -Path "$RegMSLM" -Name "Windows" -Force}
$CVTestLM = Test-Path $RegCVLM
If ($CVTestLM -eq $False){New-Item -Path "$RegWINLM" -Name "CurrentVersion" -Force}
$MDMTestLM = Test-Path $RegMDMLM
If ($MDMTestLM -eq $False){New-Item -Path "$RegCVLM" -Name "MDM" -Force}


#Test MDM LM
$MDMOldLM = Get-ItemProperty -Path "$RegMDMLM" -ErrorAction SilentlyContinue

If($MDMOldLM -eq $null) {
New-ItemProperty -Path "$RegMDMLM" -Name "AutoEnrollMDM" -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path "$RegMDMLM" -Name "UseAADCredentialType" -PropertyType DWORD -Value "1" -Force
New-ItemProperty -Path "$RegMDMLM" -Name "MDMApplicationId" -PropertyType String -Value "" -Force
}

$MDMAPPIDLM = Get-ItemProperty -Path "$RegMDMLM" -Name "MDMApplicationId" -ErrorAction SilentlyContinue

If (($MDMAPPIDLM -eq $Null) -or ($MDMAPPIDLM.'MDMApplicationId' -ne ""))
    {
        If ((Get-ItemProperty -Path $RegMDMLM -Name "MDMApplicationId" -ErrorAction SilentlyContinue) -eq $null)  {
            New-ItemProperty -Path "$RegMDMLM" -Name "MDMApplicationId" -PropertyType String -Value "" -Force}
        Else {Set-ItemProperty -Path "$RegMDMLM" -Name "MDMApplicationId" -Value "" -Force}

        If ((Get-ItemProperty -Path $RegMDMLM -Name "AutoEnrollMDM" -ErrorAction SilentlyContinue) -eq $null)  {
            New-ItemProperty -Path "$RegMDMLM" -Name "AutoEnrollMDM" -PropertyType DWORD -Value "1" -Force}
        Else {Set-ItemProperty -Path "$RegMDMLM" -Name "AutoEnrollMDM" -Value "1"  -Force}

        If ((Get-ItemProperty -Path $RegMDMLM -Name "UseAADCredentialType" -ErrorAction SilentlyContinue) -eq $null)  {
            New-ItemProperty -Path "$RegMDMLM" -Name "UseAADCredentialType" -PropertyType DWORD -Value "1" -Force}
        Else {Set-ItemProperty -Path "$RegMDMLM" -Name "UseAADCredentialType" -Value "1"  -Force}


        
    }

###Setup Scheduled Task
$RunTime = (Get-Date).AddMinutes(5)
$STPrin = New-ScheduledTaskPrincipal -UserID "NT AUTHORITY\SYSTEM" -LogonType S4U -RunLevel Highest
$Stset = New-ScheduledTaskSettingsSet -RunOnlyIfNetworkAvailable -DontStopOnIdleEnd -ExecutionTimeLimit (New-TimeSpan -Hours 1)
$actionUpdate = New-ScheduledTaskAction -Execute %windir%\system32\deviceenroller.exe -Argument "/c /AutoEnrollMDM"
$triggerUpdate = New-ScheduledTaskTrigger -Once -At $RunTime


Register-ScheduledTask -Trigger $triggerUpdate -Action $actionUpdate -Settings $Stset -TaskName "MDMAutoEnroll" -Principal $STPrin -Force

$TargetTask = Get-ScheduledTask -TaskName "MDMAutoEnroll"
$TargetTask.Triggers[0].StartBoundary = $RunTime.ToString("yyyy-MM-dd'T'HH:mm:ss")
$TargetTask.Triggers[0].EndBoundary = $RunTime.AddMinutes(10).ToString("yyyy-MM-dd'T'HH:mm:ss")
$TargetTask.Settings.DeleteExpiredTaskAfter = "PT0S"
$TargetTask | Set-ScheduledTask



} catch [System.Exception] {
    Write-Log $_ -PrependText "FATAL: An unhandled exception was caught. The script will now exit as failed."
    Exit-Script -ReturnCode -999
    Return
}



Exit-Script -ReturnCode 0 # End successfully

Category: Uncategorized

Powershell Script to Enroll a Device to Intune