Important Notice: On February 29th, this community was put into read-only mode. All existing posts will remain but customers are unable to add new posts or comment on existing. Please feel to join our Community Discord for any questions and discussions.

Intune Enrollment Status Collection

Hello,

I'm curious if it's possible to create a collection within PDQ Inventory which will give the status of if the computer is currently enrolled within Intune (Endpoint Manager) or not. I'm not sure if this is possible with a Powershell scanner or looking at a specific registry key on the computer itself. Any help would be greatly appreciated. Thanks.

0

Comments

3 comments
Date Votes
  • function Get-MDMEnrollmentStatus {
        <#
        .Synopsis
        Get Windows 10 MDM Enrollment Status.
     
        .Description
        Get Windows 10 MDM Enrollment Status with Translated Error Codes.
     
        Returns $null if Device is not enrolled to an MDM.
     
        .Example
        # Get Windows 10 MDM Enrollment status
        Get-MDMEnrollmentStatus
        #>
        param()
        #Locate correct Enrollment Key
        $EnrollmentKey = Get-Item -Path HKLM:\SOFTWARE\Microsoft\Enrollments\* | Get-ItemProperty | Where-Object -FilterScript {$null -ne $_.UPN}
        return $EnrollmentKey
    }

    Get-MDMEnrollmentStatus

    1
  • PDQ could do this, we'd just need to find an identifier that would show if the PC was enrolled or not. I couldn't really find anything like a registry key that is created that says the PC is "Intune Managed". I made a scanner that looks for 3 potential identifiers that are created as part of Intune Enrollment, but are not a flag itself.

    I don't know if this is 100% accurate because it doesn't seem to reflect all of the computers I've enrolled in Intune and we have many remote computers. But the folder and registry keys show up in a majority of computers at least.

    I'd be interested in a better way to tell, but this is the best I have right now.

    0
  • Thanks James for the suggestion. I did try that but unfortunately not every computer shows up when doing it that way (like you said). I think I did find a reliable way of doing it however. I found a script online and converted it into a Powershell Scanner and created a collection to look for the UPN field to see if a certain string exists. So far, that seems to pick up every computer enrolled into Intune. Look at the next post for the script to use for the powershell scanner.

    0