PowerShell: Detect and Fix – Hybrid Join, CCM CoManagement and Intune Service

# Removing any previous variables and their values (if any)
Remove-Variable -Name "*Check*" -Force -ErrorAction SilentlyContinue

# Defining variables and system status
$HybridCheck = C:\Windows\System32\dsregcmd.exe -ArgumentList "/status" -NoNewWindow | Select-String -Pattern KeySignTest | Select-Object -ExpandProperty Line -ErrorAction SilentlyContinue

$CoManagementCheck = Get-ItemProperty -Path HKLM:\SOFTWARE\Microsoft\CCM -Name "CoManagementFlags" | Select-Object -ExpandProperty CoManagementFlags -ErrorAction SilentlyContinue

$IntuneServicecheck = Get-Service -DisplayName *Microsoft*Intune* | Select-Object -ExpandProperty Status -ErrorAction SilentlyContinue

# Defining Log filename and path
$LogFile = "C:\Temp\Logs\Conditional_Access_System_Check.txt"

#Script execution start time
Write-Output "------------------------------" | Out-File $LogFile -Append -NoClobber
Get-Date | Out-File $LogFile -Append -NoClobber

# Check Hybrid Join status # KeySignTest : PASSED
if ($HybridCheck -like '*PASSED*' ) {
    Write-Output "Hybrid Join - Check: Passed" | Out-File $LogFile -Append -NoClobber
}
else
{
    $HybridCheck | Out-File $LogFile -Append -NoClobber
    # Execute Task to perform Hybrid Join
    C:\Windows\System32\dsregcmd.exe -ArgumentList "/join" -NoNewWindow
    # Start Scheduled Task
    Get-ScheduledTask -TaskName Automatic-Device-Join | Start-ScheduledTask  -ErrorAction SilentlyContinue | Out-File -FilePath $LogFile -Append -NoClobber
    Write-Output "Hybrid Join - Check: FAILED - Join command executed, please RESTART machine to take effect" | Out-File $LogFile -Append -NoClobber
}

# Check Co Management status
# Registry Path:    HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\CCM
# Registry Key:     CoManagementFlags
# Registry Value:   3 – depending on your workload configured, modify the value in the below If-condition.
if
($CoManagementCheck -eq '3') {
    Write-Output "CCM Comanagement Check: Passed" | Out-File $LogFile -Append -NoClobber
}
else
{
    Write-Output "CCM CoManagement Check: FAILED" | Out-File $LogFile -Append -NoClobber
    Write-Output "CCM CoManagement Current Value: $CoManagementCheck" | Out-File $LogFile -Append -NoClobber
    # Trigger CCM agent CoManagement enable task
    Start-Process -FilePath "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/c /AutoEnrollMDM" -ErrorAction SilentlyContinue
    Write-Output "CCM CoManagement Enable Task Triggered. Check EventViewer: Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider/Admin" | Out-File $LogFile -Append -NoClobber
    Write-Output "No Reboot Required for this step" | Out-File $LogFile -Append -NoClobber
}

# Check InTune service status
if
($IntuneServicecheck -eq 'Running') {
    Write-Output "Intune Service Check: Passed" | Out-File $LogFile -Append -NoClobber
}
else
{
    Write-Output "Intune Service Check: FAILED" | Out-File $LogFile -Append -NoClobber
    Get-ScheduledTask | ? { $_.TaskName -eq 'PushLaunch' } | Start-ScheduledTask
    Write-Output "Device Sync Task Triggered" | Out-File $LogFile -Append -NoClobber
}