Hey folks, we've got a client with several hundred users who are part of AzureAD but they aren't enrolled in Intune yet. We're looking to streamline this process, but our RMM tool can only run commands as the logged-in user or as System. The script for enrollment needs admin rights which complicates things. I'm wondering how to add admin credentials for elevation when executing the script without exposing the credentials to the end-user. Specifically, would using invoke-command work in this scenario? Here's a snippet of the script I'm working with, which is designed to set some MDM enrollment URLs. Any tips would be greatly appreciated!
3 Answers
You can just run the script as SYSTEM since that account has admin privileges. It seems like a straightforward approach without extra complications like messing with credentials.
Have you considered using Group Policy for this? Since they're solely AzureAD joined, you might want to create a nested elevated PowerShell process. You can use Start-Process with the RunAs verb to achieve this. Here’s a link that might help you set it up: https://learn.microsoft.com/en-us/windows/client-management/enroll-a-windows-10-device-automatically-using-group-policy
You're right, they aren't hybrid-joined. If I use the nested elevated process, how do I handle embedding the admin credentials smoothly?
I usually elevate to SYSTEM using psexec to run my .ps1 scripts. My RMM automatically removes psexec.exe after execution, which is why it’s not included directly in my main script. Here’s the command I use for reference: psexec64.exe -accepteula -nobanner /s powershell -nologo -executionpolicy bypass -noprofile -file %CD%mdmenroll.ps1. This way you can get the proper permissions needed without hassle.
That sounds easy, but unfortunately, the script just doesn't function as expected when run that way.