What Intune auto MDM enrollment means for your Azure AD PCs
Intune auto MDM enrollment lets you manage your Azure AD-joined PCs easily. Some people think every device will enroll by itself after setting up Intune, but this does not always happen. You might see errors even if you set the correct Group Policy or MDM authority. You should check the device’s Primary Refresh Token status, internet connection, and event logs. Sometimes, enrollment is slow or needs more steps, especially for devices joined before you set up Intune.
Key Takeaways
Intune auto MDM enrollment lets you manage Azure AD PCs easily. It does this by working on its own. This saves you time and work.
Devices joined before Intune setup need extra steps. You must enroll them by hand or use a script. They do not enroll on their own.
You need the right licenses for this. You need Microsoft Intune and Azure AD Premium. You also must turn on auto enrollment in Intune settings.
Use Group Policy and scheduled tasks to help with auto enrollment. You should check event logs to see progress or find errors.
If there are problems, check your licenses and network access. Make sure user scope and device tokens are set right. This keeps devices safe and managed.
Intune auto MDM enrollment Overview
What It Is
Intune auto MDM enrollment is a tool that helps you manage Windows devices with less work. When you join a device to Azure AD, this feature can add the device to Microsoft Intune by itself. You do not have to do extra things for each device. This works for both personal and work devices.
Here are some things to know about Intune auto MDM enrollment:
Devices can join Intune by themselves when they join or sign up with Azure AD.
It works for both personal and company devices.
You need the right licenses, like Microsoft Entra ID P1 or P2 and an Intune subscription.
You must turn on automatic enrollment in the Intune admin center.
You can pick which users’ devices will auto-enroll by setting the MDM user scope.
When it is on, devices join Intune without the user doing anything at Azure AD join.
Tip: Intune auto MDM enrollment lets you control devices from far away, keep them safe, and protect company data.
How It Works
Intune auto MDM enrollment uses Azure AD settings and Windows rules to make managing devices easy. When you turn on the right Group Policy, Windows makes a scheduled task that starts the enrollment in the background. The device uses the Azure AD login of the person using it.
Here is how it works:
The policy makes a registry key and a scheduled task on the device.
The scheduled task runs and tries to add the device to Intune using the user’s Azure AD login.
The device must be joined to Azure AD and have an MDM service ready.
The enrollment might take a while, and you can check the progress in Event Viewer.
After enrollment, you can manage the device with Intune, set security rules, send apps, and erase data if needed.
Note: Intune auto MDM enrollment works for many devices at once. You can use Group Policy to set up lots of devices, so it is easier to manage a big group.
Enrollment Options for Existing Azure AD Devices
If you want to manage devices joined to Azure AD before Intune, you may see problems. These devices often do not enroll by themselves, even with the right settings. Knowing why this happens helps you manage your devices better.
Why Auto Enrollment Does Not Work for Existing Devices
Many groups find that devices joined before Intune do not enroll automatically. You might see errors in Event Viewer, like Event ID 76 or 71. Codes such as 0x80180001 or 0x8018002b can show up. These errors mean the device cannot finish enrollment because of token or policy issues. Sometimes, Intune sees these devices as personal or BYOD, which your rules may block. Devices may also have duplicate or mixed records in Azure AD, causing enrollment to fail. Conditional Access or Multi-Factor Authentication (MFA) can also stop the process. Even with Group Policy set for automatic MDM enrollment, these devices may not enroll because they missed the step when joining.
Note: Devices joined before Intune was turned on did not enroll at join time. Later tries to auto-enroll often fail because of policy or setup problems.
Manual Enrollment
Manual enrollment lets you add old Azure AD-joined devices to Intune one at a time. You can use the Windows Settings app to start. You may also use Local Group Policy or change the registry to begin enrollment. Sometimes, you need to run a command like deviceenroller.exe /c /AutoEnrollMDM on the device. Before you begin, make sure users have the right licenses and are in the MDM user scope.
Manual enrollment is good for a few devices. You can check each device and fix problems quickly. But this way takes a lot of time if you have many devices. You may also see slow updates or policy problems if the device does not have a proper Azure AD user token.
Manual steps may include:
Using the Settings app to add a work or school account.
Setting Local Group Policy to start enrollment.
Changing the registry to set enrollment URLs.
Running the deviceenroller command.
Tip: Always check your Intune and Azure AD Premium licenses before manual enrollment.
Scripted Enrollment
Scripted enrollment helps you enroll many devices at once. You can use PowerShell scripts to set registry keys and start enrollment. For example, a script can check for the TenantInfo registry key, add missing MDM URLs, and run deviceenroller.exe with the right flags. This way works well if you use remote tools or need to enroll lots of devices.
A common PowerShell script sets the MDM enrollment URLs in the registry and then runs deviceenroller.exe with the /AutoEnrollMDM flag. This lets you enroll devices without rejoining or wiping them.
You can also use scripts to collect device info for Windows Autopilot. The Get-WindowsAutoPilotInfo script gathers details and makes a file you upload to Intune. This helps you manage devices with Autopilot and Intune together.
Scripted enrollment saves time and keeps device records clean. But you must test your scripts to avoid mistakes or double records. Make sure your devices run a supported Windows version and have internet during enrollment.
Scripted enrollment can:
Make bulk device enrollment faster.
Lower manual mistakes.
Help with Autopilot registration.
Deep Link and Self-Service
Deep link and self-service enrollment let users start enrollment themselves. You can send users a special link or QR code that opens the enrollment page. When users follow the link, the device makes keys and certificates, then sends a request to Azure Device Registration Service. Azure checks the request and gives a device certificate, finishing registration and allowing management.
This way is good when you want users to enroll their own devices with little IT help. Deep links can help more users enroll, especially with clear instructions. In big companies, click-to-install rates for deep links can reach up to 33%, much higher than regular ways. Self-service enrollment also supports safe device login and certificate-based management.
Deep link and self-service enrollment:
Let users enroll devices with one click or scan.
Use safe key and certificate exchange for login.
Help more users enroll and lower IT work.
Note: Clear messages and easy steps help users finish self-service enrollment.
Security and Management Considerations
Each enrollment way changes how you manage and protect devices. Automatic ways like Group Policy and Autopilot keep rules the same and lower double records. Manual and self-service ways may register devices as personal, which can limit management choices. Always plan your steps to avoid double device entries and make sure all devices get the right security rules.
Organization-owned devices enrolled with automatic or scripted ways become fully managed, while user-started enrollment may only apply to the signed-in user.
By knowing what each enrollment way offers, you can pick the best one for your group and keep devices safe and following rules.
Requirements and Setup
Licensing and Permissions
You must have the right licenses and permissions before using Intune auto MDM enrollment with your Azure AD-joined PCs. If you do not have these, devices will not enroll or show up in Intune.
Every user needs a Microsoft Intune license. This license can come from Microsoft 365 E3, E5, or a single Intune plan.
Users also need an Azure AD Premium license, either P1 or P2. This license lets you use features like auto MDM enrollment.
The MDM user scope in Azure AD Mobility settings must include all users or the group you want to manage.
Device-only Intune licenses do not let users auto-enroll.
For hybrid Azure AD joined devices, you need extra setup, like turning on Group Policy.
Tip: Giving users the right licenses is very important. If a user does not have both licenses, auto-enrollment will not work.
Intune Configuration
Setting up Intune the right way is needed for auto MDM enrollment to work. You must pick the correct options so devices enroll and stay managed.
Set the MDM user scope to "All" or to a group with your users.
Set the MAM user scope to "None" if you only want MDM enrollment.
Devices must have internet and be able to reach Microsoft websites.
Enrollment settings must allow the device type and ownership you want.
Supported Windows versions are Pro, Enterprise, and Education, with Windows 10 version 1709 or newer.
You must turn on the Group Policy setting "Enable automatic MDM enrollment using default Microsoft Entra credentials" on devices.
The MDM discovery URL must be set to
https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc.Devices already enrolled in another MDM must be removed first.
If you see errors during enrollment, check for network problems, license issues, or wrong user scope settings. Devices also need the scheduled task for auto-enrollment to be there and running.
A table can help you see what you need:
If you meet these needs and check your setup, your Azure AD-joined PCs will enroll in Intune and stay managed.
Troubleshooting Enrollment Issues
Common Problems
When you try to enroll Azure AD-joined PCs into Intune, you might run into some problems. These problems can stop devices from enrolling or make your device list confusing.
You might also see error codes or messages when you try to enroll. Some common ones are:
Error code 0x80180014: "Your Organization doesn’t support this version of Windows." This means a rule is blocking enrollment.
Error code 80180003: "Your account was not set up on this device because device management could not be enabled." This means the user does not have the right permissions.
Error code 80180005: This means there is a server problem, often because of network trouble.
Win32 error codes like 0x82aa0008: These show up in logs and usually mean there is a permission or setup problem.
Other problems can happen too. Company names with special symbols, missing user licenses, or expired certificates can cause trouble. Sometimes, network rules or proxy settings stop the device from talking to Intune.
Tip: You can use tools in the Microsoft 365 admin center to test for enrollment problems.
Solutions
You can fix most enrollment problems by checking some important settings and following steps.
Make sure auto enrollment is set up the right way in Intune.
Check that every user has both Microsoft Intune and Azure AD Premium licenses.
Use the command
dsregcmd /statusto check if the device is joined to Azure AD and has a good Primary Refresh Token.Make sure the Group Policy for automatic MDM enrollment is set and the scheduled task is on the device.
Look at the DeviceManagement-Enterprise-Diagnostic-Provider event logs for errors.
Make sure the MDM user scope is set to "All" or includes the right users.
Check if Multi-Factor Authentication or Conditional Access rules are stopping enrollment. You might need to change these.
Make sure devices have a good internet connection and can reach Microsoft sites.
Remove special symbols from your company name if enrollment does not work.
Be careful when removing duplicate or old devices so you do not break sign-ins or lose important keys.
If you see error codes, read the message for hints. For example, if it says you are missing permissions, check user licenses and MDM scope. If it says server error, check your network or firewall.
By knowing what problems to watch for and what steps to take, you can keep your Azure AD-joined PCs enrolled and managed in Intune.
Intune auto MDM enrollment does not work by itself for old Azure AD-joined PCs. You have to do manual steps to enroll these devices. You might need to change the registry or use PowerShell scripts.
You can use self-enrollment, provisioning packages, or the Company Portal app. These ways give you more choices for enrolling devices.
Make sure to remove old device records. Check if users have the right licenses. This helps you avoid common problems.
If you plan ahead, you can manage devices more easily. This also helps keep your organization safe.
FAQ
What happens if you try to auto-enroll an existing Azure AD-joined device?
The device will not enroll by itself. It joined Azure AD before Intune was set up. Because of this, it does not get the auto-enrollment signal.
What tools can you use to check enrollment status?
You can use Event Viewer to look for problems. The dsregcmd /status command gives device info. The Intune admin center also shows if a device is enrolled.
What is the best way to enroll many existing devices?
PowerShell scripts or remote tools work best. These let you enroll lots of devices at once. This makes the job faster and easier.
What should you do if a device shows up twice in Azure AD?
Check which device record is being used now. Delete the old or unused one. Do not remove the device people need for sign-in or BitLocker.
What licenses do you need for Intune auto MDM enrollment?
Each user needs a Microsoft Intune license. They also need an Azure AD Premium (P1 or P2) license. Without both, devices will not enroll by themselves.