How to Enrol Entra ID Joined Devices into Microsoft Intune

A common situation that catches IT admins off guard: a device is Entra ID joined but never made it into Intune.

This usually happens when automatic MDM enrolment wasn't enabled at the time the device joined. The device is known to Entra ID but your management platform has no record of it. No policies, no app deployments, no compliance checks. This guide covers five ways to fix that.

Joined but Not Enrolled, What's the Difference?

When a device is Entra ID joined but not enrolled in Intune, it sits in an awkward middle ground. Your identity platform knows about it, but your management platform doesn't. In practice this means:

• You cannot push security policies or configuration profiles to the device
• You cannot remotely deploy or uninstall applications
• You cannot enforce compliance requirements or conditional access based on device health
• The device will not appear in Intune's device list

Prerequisites

Before attempting any of these methods, make sure the following are in place or you'll hit errors at every step.

Method 1, PowerShell (Recommended)

The most reliable and scalable method. If you have an RMM tool like Huntress, NinjaRMM, or ConnectWise, you can push this script across your entire fleet without touching a single device. It can also be run manually on individual machines.

1. 1Open PowerShell as Administrator on the target device.
2. 2Run the following script to trigger MDM enrollment:

# Trigger Intune MDM enrollment for an Entra ID joined device

# Set the MDM enrollment URLs
$EnrollmentUrl     = "https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc"
$TermsOfUseUrl    = "https://portal.manage.microsoft.com/TermsofUse.aspx"
$ComplianceUrl    = "https://portal.manage.microsoft.com/?portalAction=Compliance"

# Set the registry path for MDM enrollment
$RegPath = "HKLM:\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM"

# Create the registry key if it doesn't exist
if (-not (Test-Path $RegPath)) {
    New-Item -Path $RegPath -Force | Out-Null
}

# Enable auto-enrollment
Set-ItemProperty -Path $RegPath -Name "AutoEnrollMDM" -Value 1 -Type DWord
Set-ItemProperty -Path $RegPath -Name "UseAADCredentialType" -Value 1 -Type DWord

# Trigger the enrollment via DeviceEnroller
$EnrollerPath = "C:\Windows\System32\DeviceEnroller.exe"
Start-Process -FilePath $EnrollerPath -ArgumentList "/C /AutoEnrollMDM" -Wait

Write-Host "Enrollment triggered. Check Intune portal in 5-10 minutes." -ForegroundColor Green

Method 2, PsExec (Sysinternals)

If you only have one or two devices to deal with and prefer a more direct approach, PsExec from the Microsoft Sysinternals suite lets you run the enrollment command as the SYSTEM account, which is what Intune enrollment requires.

1. 1Download the Sysinternals Suite from Microsoft and extract the files.
2. 2Copy PsExec.exe to a local folder, e.g. C:\Temp.
3. 3Open PowerShell as Administrator and go to that folder.
4. 4Run the following to open a SYSTEM-level PowerShell window:

cd C:\Temp
.\PsExec.exe -i -s powershell.exe

1. 5In the new SYSTEM PowerShell window that opens, run the enrollment command:

Start-Process -FilePath "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/C /AutoEnrollMDM" -Wait

Method 3, Settings Sync (User-Driven)

Sometimes the simplest fix works. For remote users who can follow a few steps themselves, nudging the device via the Settings app can trigger the missing MDM registration without any admin intervention.

1. 1Go to Settings → Accounts → Access work or school.
2. 2Select the "Connected to [Your Org] Entra ID" account.
3. 3Click Info, then scroll down and click the Sync button.

This forces a check-in that often triggers the missing MDM registration. It's not guaranteed to work in all cases but it's worth trying first as it requires no admin tools.

Method 4, Enroll Only in Device Management

If the device is Entra joined but Intune still isn't picking it up, you can manually add the MDM management layer without touching the existing Entra join status.

1. 1Go to Settings → Accounts → Access work or school.
2. 2Click Connect.
3. 3Look for the small link at the bottom of the sign-in dialog: "Enroll only in device management", click it.
4. 4Enter the user's work email and password to create a dedicated Intune management channel.

Method 5, Bulk Enrollment via Provisioning Package

If you don't have an RMM tool and need to enroll multiple devices, a Windows Provisioning Package (.ppkg) deployed via USB is a solid option. Windows detects and runs the package automatically when plugged in.

1. 1Open Windows Configuration Designer (available from the Microsoft Store).
2. 2Create a new "Provision Desktop Devices" project.
3. 3Under Account Management, select Enroll in Azure AD and generate a Bulk Token by signing in with an admin account.
4. 4Export the project to a USB drive.
5. 5Plug the USB into each target device, Windows detects the package and processes the enrollment automatically.

Verifying the Enrollment Worked

Don't just trust a "script completed" message. Here's how to properly confirm a device is enrolled.

Method A, dsregcmd

The quickest verification. Open Command Prompt and run:

dsregcmd /status

In the output, look for the Tenant Details section. You want to see all three of these populated:

• AzureAdJoined, should be YES
• MdmUrl, should point to https://enrollment.manage.microsoft.com
• MdmEnrollmentUrl, should be populated

Method B, Event Viewer

If something went wrong, Event Viewer gives you the exact reason. Go to:

Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider → Admin

• Event ID 75, enrollment succeeded ✅
• Event ID 76, enrollment failed. The error description is your starting point for troubleshooting ❌

Troubleshooting Common Errors

Even with everything configured correctly, you might hit some classic enrollment errors. Here's a quick decoder: