I've taken on the task of hybrid-joining and enrolling all our machines in Intune. The setup works great for new devices, but existing machines that were around before we configured auto-enrollment aren't updating. Is there an automated method to get those machines that are already in Entra to re-enroll in Intune? Manually deleting entries in Entra and using 'dsregcmd /leave' on each one as an admin isn't feasible for my deadline. I thought about removing those machines and deploying a one-time login script through GPO, but there's a risk they might re-register before the reboot, which could disrupt the hybrid-joining and Intune enrollment process. Any suggestions to simplify this would be appreciated!
2 Answers
I might have misunderstood your issue; why exactly do you need to unenroll from Intune to re-enroll? Or is it more about the devices being registered in Entra but not actually enrolled in Intune?
One effective way to handle this is by setting up two scheduled tasks using PowerShell. The first task can take care of the hybrid Azure join, disable itself afterward, enable the Intune enrollment task, and then reboot the machine. Once the reboot happens, the Intune task kicks in. I just did this in my own environment, and it worked seamlessly!
Did you use a GPO to manage the hybrid join and Intune enrollment? I'm curious if it was done differently.
The issue is primarily with the old Entra registrations. They need to be cleared out before we can proceed with the leave command and then the auto-enrollment.