Public/TenantConfiguration/Baseline/Add-DeviceEnrollmentConfiguration.ps1

function Add-DeviceEnrollmentConfiguration {
    param(
        [Parameter(Mandatory)]
        [string]$TenantId,
        [bool]$Hybrid = $false
    )

    try {
        Connect-CustomerGraph -CustomerTenantId $TenantId

        $MgContext = Get-MgContext
        if ($MgContext.Scopes -notcontains "Policy.ReadWrite.MobilityManagement") {
            Write-Host "The current application does not have the required scopes to update device enrollment configuration." -ForegroundColor Yellow
            Write-Host "Re-creating application consent, please wait.."
            Set-SAMConsent -CustomerTenantId $TenantId
            Disconnect-MgGraph | Out-Null
            Connect-CustomerGraph -CustomerTenantId $TenantId
        }

        <#
        This ensures that all users are able to enroll in Intune.
        #>


        $MobileDeviceManagementPolicy = (Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000")
        if ($MobileDeviceManagementPolicy.appliesTo -ne "all") {
            $MDMParams = @{
                "appliesTo" = "all"
            }
            Invoke-GraphRequest -Method PATCH -Uri "https://graph.microsoft.com/beta/policies/mobileDeviceManagementPolicies/0000000a-0000-0000-c000-000000000000" -Body $MDMParams
            Write-Host "Set MDM user scope to 'all'" -ForegroundColor Green
        }
        else {
            Write-Host "MDM user scope is already set to 'all', not updating.." -ForegroundColor Yellow
        }
    

        $DeviceEnrollmentConfigurations = (Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations").value
        
        # Windows Hello for Business
        $DeviceEnrollmentConfigurationsFiles = Get-ChildItem -Path "$PSScriptRoot\DeviceEnrollmentConfigurations" -Filter *.json
        foreach ($DeviceEnrollmentConfigurationsFile in $DeviceEnrollmentConfigurationsFiles) {
            $DeviceEnrollmentConfiguration = Get-Content -Path $DeviceEnrollmentConfigurationsFile.FullName | ConvertFrom-Json -AsHashtable -Depth 100
            
            if ($DeviceEnrollmentConfiguration.Id -like "*_DefaultWindowsHelloForBusiness") {
                $DeviceEnrollmentConfigurationId = ($DeviceEnrollmentConfigurations | Where-Object { $_.Id -like "*_DefaultWindowsHelloForBusiness" }).Id
                Update-MgDeviceManagementDeviceEnrollmentConfiguration -DeviceEnrollmentConfigurationId $DeviceEnrollmentConfigurationId -AdditionalProperties $DeviceEnrollmentConfiguration.AdditionalProperties
                Write-Host "Updated Windows Hello for Business Enrollment Configuration" -ForegroundColor Green
            }
        }

        # Windows Autopilot
        $WindowsAutopilotDeploymentProfiles = (Invoke-MgGraphRequest -Method GET -Uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles").value

        if ($Hybrid) {
            $WindowsAutopilotDeploymentProfile = Get-Content -Path "$PSScriptRoot\WindowsAutopilotDeploymentProfiles\JyskIT_Baseline_AP_HybridProfile.json" | ConvertFrom-Json -AsHashtable -Depth 100
        }
        else {
            $WindowsAutopilotDeploymentProfile = Get-Content -Path "$PSScriptRoot\WindowsAutopilotDeploymentProfiles\JyskIT_Baseline_AP_DefaultProfile.json" | ConvertFrom-Json -AsHashtable -Depth 100
        }

        if ($WindowsAutopilotDeploymentProfiles.displayName -contains $WindowsAutopilotDeploymentProfile.displayName) {
            Write-Host "Windows Autopilot deployment profile '$($WindowsAutopilotDeploymentProfile.displayName)' already exists, not creating.." -ForegroundColor Yellow
        }
        else {
            $WindowsAutopilotDeploymentProfile = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles" -Body $WindowsAutopilotDeploymentProfile
                
            Write-Host "Created Windows Autopilot deployment profile '$($WindowsAutopilotDeploymentProfile.displayName)'." -ForegroundColor Green
                
            Invoke-MgGraphRequest -METHOD POST -Uri "https://graph.microsoft.com/beta/deviceManagement/windowsAutopilotDeploymentProfiles/$($WindowsAutopilotDeploymentProfile.id)/assignments" -Body @{
                "target" = @{
                    "@odata.type" = "#microsoft.graph.allDevicesAssignmentTarget"
                }
            } | Out-Null

            Write-Host "Assigned Windows Autopilot deployment profile '$($WindowsAutopilotDeploymentProfile.displayName)' to all devices." -ForegroundColor Green
        }

        # Windows Autopilot Enrollment Status Page
        $EnrollmentStatusPageFiles = Get-ChildItem -Path "$PSScriptRoot\EnrollmentStatusPages" -Filter *.json
        foreach ($EnrollmentStatusPageFile in $EnrollmentStatusPageFiles) {
            $EnrollmentStatusPage = Get-Content -Path $EnrollmentStatusPageFile.FullName | ConvertFrom-Json -AsHashtable -Depth 100
            if ($DeviceEnrollmentConfigurations.displayName -contains $EnrollmentStatusPage.displayName) {
                Write-Host "Enrollment status page '$($EnrollmentStatusPage.displayName)' already exists, not creating.." -ForegroundColor Yellow
            }
            else {
                $EnrollmentStatusPage = Invoke-MgGraphRequest -Method POST -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations" -Body $EnrollmentStatusPage
                Write-Host "Created enrollment status page '$($EnrollmentStatusPage.displayName)'." -ForegroundColor Green
                Invoke-MgGraphRequest -METHOD POST -Uri "https://graph.microsoft.com/beta/deviceManagement/deviceEnrollmentConfigurations/$($EnrollmentStatusPage.id)/assign" -Body @{
                    "enrollmentConfigurationAssignments" = @(
                        @{
                            "target" = @{
                                "@odata.type" = "#microsoft.graph.allDevicesAssignmentTarget"
                            }
                        }
                    )
                } | Out-Null
                
                Write-Host "Assigned enrollment status page '$($EnrollmentStatusPage.displayName)' to all devices." -ForegroundColor Green
            }
        }

    }
    catch {
        throw "Failed to update Device enrollment configuration: $_"
    }
}