As more IT environments embrace hybrid work setups and cloud-based strategies, organizations must prioritize efficient and secure methods for managing and provisioning devices. Administrators can consider having a seamless way to auto-enroll devices in Intune as soon as they are joined to Azure AD (now known as Microsoft Entra ID). This can simplify onboarding, enhance compliance, and enable zero-touch provisioning by using tools like Group Policy and Autopilot.
This guide breaks down the different methods to set up the automatic enrollment of Windows devices to Intune, including Azure AD Join, Group Policy for hybrid environments, Windows Autopilot, scripting via PowerShell, and registry configurations.
How to auto-enroll devices in Intune
In general, there are three common paths to automatically enroll Windows devices to Intune:
- AAD Join + Auto-Enroll (cloud-native, user-driven, or Autopilot) refers to cloud-based methods that connect a device directly to Microsoft Entra ID (formerly Azure AD)..
- Hybrid AAD Join + GPO Auto-Enroll (domain-joined, policy-driven) refers to methods that use both on-premise and cloud-based steps. Devices on this path are typically configured with a Group Policy that enables automatic enrollment in Intune.
- Manual token or script-based enrollment for legacy or bulk methods is helpful for IT administrators who need to enroll devices without using the first two paths.
With these three paths in mind, users can set up automatic enrollment using any of five methods: Azure Portal, Group Policy Editor, Autopilot, registry modification, and PowerShell.
📌 Prerequisites: Before proceeding, ensure that the following requirements are met
- Microsoft Intune license (may come from Microsoft 365 Business Premium, EMS, Microsoft 365 E3/E5)
- A Microsoft Entra ID tenant (formerly Azure AD) with MDM configured (visible in Mobility settings)
- Administrative privileges (⚠️ Important: You need permissions to configure MDM settings and Azure AD join to use the methods below; otherwise, your changes may not apply.)
- Windows 10/11 Pro, Enterprise, or Education edition
- Network access to Microsoft MDM endpoints
Hybrid methods also need Azure AD Connect with device writeback and SCP configured.
💡 TIP: Access to Microsoft Endpoint Manager Admin Center and Windows Autopilot Deployment service is highly recommended for streamlined device management and provisioning.
📌 Recommended deployment strategies:
Method 1: Auto-enroll a Windows device to Intune via the Azure portal
Microsoft Intune admin center (formerly Azure portal) is a unified web-based console that enables users to view, create, and manage Azure resources. It can also be used to enroll Windows devices automatically into Intune. This method enables automatic MDM enrollment when a device is joined to Microsoft Entra ID (Azure AD) by a licensed user in scope.
📌 Use Cases: Since this is the simplest way to configure MDM auto-enrollment, this method is helpful for a variety of use cases, including:
- Cloud-native environments
- Remote-first or hybrid workforces
- Startups or SMBs with limited on-premises infrastructure
- MSPs managing clients with Microsoft Entra ID (Azure AD) and Microsoft 365
To use this method, follow these steps:
- Sign in to the Azure portal as a Global Admin.
- Azure Active Directory > Mobility (MDM and MAM).
- Select Microsoft Intune.
- Set MDM user scope to All or Some (targeting specific Entra ID groups).
💡 Note: Not sure which user scope to choose? Selecting All enables all users in your Microsoft Entra ID tenant (Azure AD)to auto-enroll their devices, while selecting Some allows only specific Entra ID groups to do so. The former is ideal for small to medium organizations, while the latter is best for testing environments and gradual rollouts. Read more about the potential consequences of this step in the Things to look out for section.
- Save your settings.
Method 2: Enroll a device automatically with Group Policy Editor
This method enables IT administrators to automatically enroll domain-joined Windows devices into Microsoft Intune by using Active Directory–based Group Policy. It is the method of choice for hybrid environments (i.e., environments with on-premise AD but cloud management being phased in or used as needed).
📌 Use Cases: This method is ideal for domain-joined devices synced with Microsoft Entra ID (Azure AD) Connect and enterprise-wide policy deployments.
📌 Prerequisite: Ensure your SCP is configured correctly and devices are syncing via Entra ID Connect.
⚠️ Important: Local Group Policy Editor is unavailable on Windows 10/11 Home editions. Ensure you have the appropriate Windows edition when using the Group Policy Editor for any changes.
To use this method:
- Press Win + R, type gpedit.msc, and click OK to open the Group Policy Editor.
- Navigate to Computer Configuration > Administrative Templates > Windows Components > MDM
- Look for the policy named Enable automatic MDM enrollment using default Azure AD credentials and set it to Enabled.
- Apply the GPO to the appropriate OU.
- Run
gpupdate /forceto force a policy update on your target OU. - Reboot the device and log in as a licensed user to complete the hybrid join and trigger auto-enrollment.
Method 3: Zero-touch enrollment with Windows Autopilot
📌 Use Cases: This method is best used for enrolling new or reimaged devices, making it ideal for MSPs and IT teams managing remote or hybrid workforces.
📌 Prerequisite: For this method to work, ensure that:
- The device you’re enrolling is new or reset to Out-of-Box Experience (OOBE)
- The Autopilot script (Get-WindowsAutopilotInfo.ps1) is already downloaded.
Follow these steps to use Windows Autopilot:
- Collect the hardware hash using PowerShell. You can use the command:
md c:\HWIDSet-Location c:\HWIDGet-WindowsAutopilotInfo.ps1 -OutputFile AutopilotHWID.csv |
Be careful when collecting hardware hash, as using the incorrect one may have enrollment failures. Read more about it in the Things to look out for section.
- Upload the CSV file to MEM Admin Center. To do this, go to Devices > Windows > Windows enrollment > Devices, click Import, and upload the file.
- Create and assign Autopilot deployment profiles. To do this, ensure that you follow these steps:
- Select Convert all targeted devices to Autopilot.
- Configure Join to Microsoft Entra ID (Azure AD) as joined.
- Enable automatically enroll in MDM.
- Devices will auto-enroll during OOBE as soon as they’re powered on and connected.
Method 4: Registry modification approach for pre-provisioning
⚠️ Warning: This method is not documented or supported by Microsoft. Create a backup before making any changes.
📌 Use Cases: Typically used for OEMs or advanced provisioning scenarios
Follow these steps when modifying the registry:
- Open Registry Editor. To do this, press Win + R, type regedit, press Enter, and click OK.
- Navigate to HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Enrollments\
- Add the following keys:
- UPN
- DiscoveryServiceFullUrl
- EnrollmentType
- EnrollmentToken
💡 Note: To add keys, make sure you are in the correct registry location. Right-click on the parent key, then choose New > Key. Provide a name for the new key.
- Double-click each new key to modify its value. You may refer to the table below; however, note that these values may vary based on your Windows version, enrollment type, and tenant configuration.
| Key | Value | Sample Value |
| UPN | User Principal Name associated with the enrollment | sample value: [email protected] |
| DiscoveryServiceFullUrl | Intune enrollment discovery service endpoint | https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc |
| EnrollmentType | Internal enrollment classification used by Windows | 6 |
| EnrollmentToken | Token generated during specific automated workflows | <token value> |
Method 5: Automating device enrollment with PowerShell
📌 Use Cases: This method is best suited for MSPs or IT teams that need to automate enrollment across large device fleets through scripting and task automation.
📌 Prerequisites: You’ll need to have PowerShell installed on your device and administrator privileges.
You can use PowerShell to automate different parts of the device enrollment process. To do so, follow these steps:
- Open PowerShell as an administrator.
- Use the following commands (based on what you want to automate):
Start manual MDM enrollment:
Start-Process "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/c /AutoEnrollMDM" |
Validate Intune management status:
Get-WmiObject -Namespace "root\cimv2\mdm\dmmap" -Class MDM_DevDetail_Ext01 |
List all managed devices (Graph API):
# Install the Microsoft Graph PowerShell SDK (run once)
|
Verifying Windows device enrollment via CMD and dsregcmd
The dsregcmd utility allows you to support status checking and manual join triggers. However, it isn’t a standalone method to enable automatic enrollment of devices in Intune. Instead, it is better used for troubleshooting hybrid join or registration failures during Autopilot or GPO-based setups and manual triggering of Microsoft Entra ID (Azure AD) join or registration.
To verify device enrollment using CMD and dsregcmd, use the following commands:
Trigger Microsoft Entra ID (Azure AD) registration or join: dsregcmd.exe /join
To check current status: dsregcmd.exe /status
- Look for the following when verifying:
- AzureAdJoined: YES
- DeviceAuthStatus: SUCCESS
- MDMUrl: https://enrollment.manage.microsoft.com/…
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| An incorrect MDM scope is applied | Devices may enroll unintentionally and can cause policy conflicts or performance issues. | Return to Azure portal > Mobility (MDM and MAM) > Intune and adjust to the appropriate user scope. |
| Incorrect or incomplete hardware hash uploaded | The device won’t appear in MEM, and the profile won’t apply. | Recollect the hash using Get-WindowsAutopilotInfo.ps1 and re-upload. |
| Registry misconfiguration | Misconfigured registries can cause device instability. | Recover your backup registry. |
Additional considerations for the successful automatic enrollment of devices to Intune
Aside from ensuring that you have the necessary requirements outlined above, you also need to look into the following considerations:
SCP configuration
Before proceeding, make sure that you have the correct SCP configuration. To do this, use Set-ADServiceConnectionPoint.
SCP signals to Windows domain-joined devices how to locate your Microsoft Entra ID (Azure AD) tenant for hybrid join. Without it, devices won’t be able to connect to Microsoft Entra ID, rendering automatic Intune enrollment impossible. Having the correct SCP configuration is crucial so that devices can be discovered and authenticated with Microsoft Entra ID.
ESP customization
The Enrollment Status Page (ESP) controls what is visible during provisioning, such as the progress of app installations. It can be customized to display relevant information during enrollment. In doing so, the process is improved through a better user experience. IT administrators can block access to a desktop until critical configurations are completed, ensuring security and consistency.
Network filtering
For automatic enrollment to succeed, key Microsoft endpoints like *.manage.microsoft.com and login.microsoftonline.com must be accessible to Windows devices. Before setting up the automatic enrollment, users must ensure that these are not blocked by firewalls, proxies, or DNS filtering; otherwise, Entra ID join and MDM enrollment may not be successful.
Autopilot reset and White Glove workflows
Autopilot Reset & White Glove workflows can also trigger auto-enrollment. Autopilot Reset allows IT to reprovision a device while keeping it assigned and managed, while White Glove enables IT administrators to preconfigure devices before delivering them to end users. Both are valuable tools for device management.
Troubleshooting common issues
The Azure device did not auto-enroll in Intune
This is a common issue usually caused by misapplied or missing Intune licenses, misconfigured MDM scopes, or unjoined Microsoft Entra ID (Azure AD) states. To fix this, validate the license, MDM scope, and enrollment URL. Microsoft also provides a more thorough explanation of potential issues when enrolling devices.
dsregcmd status shows NO
If the status shows NO, then the device isn’t joined to Microsoft Entra ID (Azure AD). To fix this, here are some steps you can take:
- Check SCP configuration
- Verify Entra ID Connect sync
- Review conditional access policies and ensure that firewalls, proxies, or DNS filtering are not blocking key URLs.
Autopilot device missing
This error usually occurs when the hardware hash is invalid, incomplete, or uploaded without matching the device’s current state. Always ensure the hash was captured from a clean system and allow up to 15 minutes to appear in the portal.
GPO is not applied
If automatic enrollment via Group Policy isn’t applied, then there may be errors in your policy scope, OU targeting, or both. A good first step is triggering a group policy update to ensure that the policy is applied.
You can also check the Event Viewer to see if the policy was applied. Go to Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider.
NinjaOne services to enhance cloud-based MDM enrollment
While Intune handles cloud-based MDM enrollment, NinjaOne helps enhance the process with its features.
| NinjaOne service | What it does | How it helps with setting up the automatic enrollment of Windows devices to Intune |
| Automated scripting | Enables IT teams to push PowerShell, CMD, or registry scripts across devices. | This allows MSPs to automate enrollment verification (e.g., checking join status), troubleshoot enrollment failures, or reset enrollment components without manual intervention. |
| Custom monitoring | Custom monitoring flags devices that failed to auto-enroll | Flags devices that fail to auto-enroll or whose join state mismatches policies. Enables proactive remediation workflows to ensure maximum compliance and reduce manual checks. |
| Inventory tagging | Helps IT administrators add tags to easily track Autopilot vs GPO-enrolled vs manually enrolled endpoints | Allows MSPs to categorize and report enrollment methods per device, enabling them to tailor remediation and track deployment trends easily |
| Bulk actions | Let IT teams and MSPs execute onboarding or remediation scripts at scale across distributed clients. | Helps in addressing enrollment gaps in bulk without one-by-one interventions, |
When used together, NinjaOne and Intune create a streamlined automatic enrollment process that reduces failures, speeds up onboarding, and increases visibility for MSP operations.
Set up auto-enrollment of Windows devices in Intune to streamline your device management
Automatic enrollment simplifies modern endpoint management and reduces administrative overhead. The methods above work best when the correct configurations are ensured. In doing so, IT administrators can benefit from seamless Intune enrollment with minimal risks.
Related topics:
- How to Deploy Applications Using Microsoft Intune Admin Center
- How to Add a Corporate Device to Intune Device Management
- How to Add a BYOD Device to Intune Device Management
- Does Microsoft Intune Do Patch Management?
- Choosing the Right Software Deployment Tool: Intune vs. NinjaOne – A User’s Perspective
