In order to keep campus compliant with IT-20 security requirements, DIT is deploying a policy that will enroll all current AD-only devices into Intune. This is to ensure that all University of Maryland owned machines will receive necessary security, application and operating system updates. This process will take part in two phases as described below.
The first phase will be pushing an Active Directory SecureW2 certificate that ensures users will have a seamless connectivity experience as their device enrolls into Intune. This certificate deployment will take place in grouped phases and those dates can be found on the Units by Deployment Date tab here: Certificate Enrollment List
Computers in scope for this change have been added to an AD security group, UMD-MG-SecureW2CertEnrollment. Group policy object UMD-SecureW2-CertEnrollment will be linked and filtered to only apply to the security group. This will deploy a device certificate that creates an additional wireless connection labelled eduroam-ad. During the Intune enrollment, the device will automatically fall back onto eduroam-ad without any input from the user. This transfer should be seamless and the user should not see any major connectivity issues.
The device will remain on eduroam-ad. Users will not need to enter credentials or interact with this wireless connection. In the future, this policy will be revoked and devices will transition back to eduroam.
NOTE: Users can manually switch over to eduroam. However, when the device restarts, it will automatically revert to eduroam-ad as it takes precedence over eduroam.
** If your team works remotely or in a hybrid model, please ensure they connect to GlobalProtect on the scheduled deployment day for your department. This allows the certificate to be applied and prevents any network access issues when they return to campus.
This process enrolls Windows 10 and Windows 11 devices into Intune automatically, without requiring a restart and without user interaction. It is used for devices that are currently only managed by on-prem Active Directory. Once complete, your device will appear under your assigned Intune site assuming it is following the established naming convention. This deployment will take place November 17th, 2025 at 9 a.m.
<$PkgPath="\\AD.UMD.EDU\SysVol\AD.UMD.EDU\Policies\{DA9EC300-A42C-4F99-A211-FDDD0AA57424}\Machine\Scripts\Startup\Intune Enrollment\DIT-HYBRID.ppkg"
$LogPath = "C:\Windows\Temp\Intune_Enrollment.log"
Add-Content $LogPath "$(Get-Date) - Starting Intune provisioning from $PkgPath"
try { if (Test-Path $PkgPath) {
Add-Content $LogPath "$(Get-Date) - Package found. Applying..."
# Apply provisioning package silently
Install-ProvisioningPackage -PackagePath $PkgPath -QuietInstall -ForceInstall -LogsDirectory "C:\Windows\Temp" | Out-Null } else {
Add-Content $LogPath "$(Get-Date) - ERROR: Package not found at $PkgPath"}
}
catch {
Add-Content $LogPath "$(Get-Date) - ERROR applying provisioning package: $($_.Exception.Message)"}>NOTE: If the .ppkg fails to apply, please elevate to an Admin Account to remove the package for this script to rerun. If you do continue to have problems with the enrollment, please contact it-desktop@umd.edu and we’ll be happy to assist as needed.