top of page
Search

How to Enroll Existing Entra ID Joined Devices into Microsoft Intune

  • Writer: Jack Davies
    Jack Davies
  • 11 hours ago
  • 4 min read

Learn how to trigger Microsoft Intune enrollment for devices that are already joined to Entra ID (formerly Azure AD). As more organizations transition to Entra ID for identity management, using Microsoft Intune for MDM (Mobile Device Management) and MAM (Mobile Application Management) has become the standard.


However, it is a common scenario to find devices that are successfully Entra ID Joined but have missed the Intune enrollment. This typically occurs when "Automatic Enrollment" was not configured at the time the device joined the domain.


What happens when a device is joined but not enrolled?

When a device is Entra ID joined but not enrolled in Intune, it remains unmanaged. This means you cannot push security policies, deploy applications, or manage updates. Essentially, the device is "known" by your identity provider but not "controlled" by your management system.


Why should you force an enrollment?

  • To gain management control: You need to push OMA-URI policies or scripts.

  • Security Compliance: To ensure the device meets organizational health standards.

  • App Deployment: To automatically install required software via the Company Portal.


Prerequisites


Before attempting to trigger enrollment, ensure the following conditions are met:

  • Administrator Rights: Execution on the local device must be done with elevated privileges.

  • Licensing: Users must be assigned a valid license that includes Microsoft Intune (e.g., Business Premium, E3, or E5).

  • MDM Scope: In the Entra admin center, ensure the MDM user scope is set to All or a specific group containing your users.


Ways to Trigger Intune Enrollment


1: Triggering Enrollment using PowerShell

This method is highly efficient if you use an external RMM tool to deploy scripts across your fleet, though it can also be run manually on individual machines.


Note: Ensure your enrollment URLs match the standard Microsoft defaults provided below.


  1. Launch PowerShell as an Administrator.

  2. Copy and run the following script:

# Set MDM Enrollment URL's 
$key = 'SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\*' $keyinfo = Get-Item "HKLM:\$key" 
$url = $keyinfo.name 
$url = $url.Split("\")[-1] 
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\$url"
New-ItemProperty -LiteralPath $path -Name 'MdmEnrollmentUrl' -Value 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc' -PropertyType String -Force -ea SilentlyContinue; 
New-ItemProperty -LiteralPath $path -Name 'MdmTermsOfUseUrl' -Value 'https://portal.manage.microsoft.com/TermsofUse.aspx' -PropertyType String -Force -ea SilentlyContinue; 
New-ItemProperty -LiteralPath $path -Name 'MdmComplianceUrl' -Value 'https://portal.manage.microsoft.com/?portalAction=Compliance' -PropertyType String -Force -ea SilentlyContinue; 

# Trigger AutoEnroll 
C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM

Once the script runs, you can sit back and relax. It might take a few minutes for the device to show up in the Intune portal, but the process is now in motion.


Option 2: Using Sysinternals (PsExec)

If you're only dealing with one or two devices and prefer a manual "hands-on" approach, PsExec from the Sysinternals suite is a great way to go.


  1. Download the Sysinternals Suite from Microsoft.

  2. Extract the files and copy PsExec.exe to a local folder (e.g., C:\Temp).

  3. Open PowerShell as Administrator and navigate to your folder.

  4. Run the following command to launch a PowerShell session as the SYSTEM account:

.\PsExec.exe -i -s powershell

  1. In the new window that pops up, run the enrollment command:

deviceenroller.exe /c /AutoEnrollMDM


Option 3: The "Settings Sync" (User-Driven)

Sometimes, the simplest way is to nudge the device via the UI. This is great for remote users who can follow a few quick steps.


  1. Navigate to Settings > Accounts > Access work or school.

  2. Select the "Connected to [Your Org] Entra ID" account.

  3. Click Info, then scroll down and hit the Sync button.


This forces a check-in that often triggers the missing MDM registration.


Option 4: "Enroll Only in Device Management"

If the device is joined but simply won't "see" Intune, you can manually add the management layer without affecting the Entra join status.


  1. Go to Settings > Accounts > Access work or school.

  2. Click Connect.

  3. Important: Look for the link at the bottom: "Enroll only in device management".

  4. Enter the user's email and password. This creates a dedicated management channel to Intune.


Option 5: Bulk Enrollment (Provisioning Packages)

No RMM? No problem. You can use a Provisioning Package (.ppkg) to enroll devices in bulk via a USB drive.


  1. Open Windows Configuration Designer and create a "Provision Desktop Devices" project.

  2. Under Account Management, select Enroll in Azure AD and get a Bulk Token.

  3. Export the project to a USB.

  4. Plug it into the target machine; Windows will detect the package and handle the enrollment for you.


Verification: Did it work?


Don't just trust the "Script Successful" message. Here is how to verify the enrollment on the device side:


1: The dsregcmd Command

Open Command Prompt and run:

dsregcmd /status

Look under the Tenant Details section. You want to see:

  • MdmUrl: (Should point to Microsoft Intune)

  • MdmEnrollmentUrl: (Should be populated)

  • AzureAdJoined: YES


2: Event Viewer Logs (The "Source of Truth")

If the enrollment fails, the Event Viewer will tell you exactly why. Navigate to:

Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider > Admin


  • Event ID 75: Success! The device is enrolled.

  • Event ID 76: Failure. The error description here is your best friend for troubleshooting.


Troubleshooting Common Errors

Even with the best scripts, you might run into some classic Windows enrollment errors. Here is how to decode them:

Error Code

Meaning

Fix

0x80180014

Device is not supported or blocked by restriction.

Check Enrollment Device Platform Restrictions in Intune.

0x80180018

User is not authorized to enroll.

Ensure the user has an Intune License and is in the MDM Scope.

0x8018002a

The user canceled the enrollment.

Usually happens if the user closes the login prompt; retry the process.

0x8007064a

Enrollment is disabled.

Check if Automatic Enrollment is actually enabled in the Entra Portal.


Conclusion

Whether you want to automate the process with PowerShell or handle it manually via Settings, you have plenty of ways to get your devices managed. Moving to Entra ID is a big win getting Intune enrollment sorted is the final piece of the puzzle!

Comments

bottom of page