How to Perform Bulk Device Enrollment in Intune via PowerShell

Imagine manually enrolling 100 new company laptops into Intune: clicking through endless prompts, fixing typos, and wasting hours. Bulk enrollment for Windows devices addresses this by automating the entire process with PowerShell.

In this guide, you’ll learn how to seamlessly register devices at scale and enforce uniform policies, whether you manage 20 devices or 2,000.

📌 Skip to the recommended deployment strategies:

Bulk device enrollment methods using PowerShell

Automating device onboarding via PowerShell lets you consistently deploy, configure, and secure multiple Windows 10/11 devices in minutes, not weeks.

📌 Use case: This approach is ideal for deploying new devices or company-wide upgrades. This also allows you to set up devices without having to access them physically. It ensures that every device in your domain gets identical policies and apps from day one.

📌 Prerequisites: Before starting, make sure you have the following:

• Licenses: Azure AD tenant with Intune/Microsoft Endpoint Manager licenses
• Permissions: Azure AD Global Admin or Intune Admin rights
• OS compatibility: Devices running Windows 10/11 Pro, Enterprise, or Education
• Tools: PowerShell 5.1+ (or PowerShell 7.x for modern features) and Microsoft Graph PowerShell SDK
• Optional:
  • Autopilot: Configured for zero-touch enrollment
  • Hybrid Azure AD Join: Requires Azure AD Connect sync and Service Connection Point (SCP)

Reading ⚠️ Things to look out for is recommended before proceeding.

Method 1: Bulk enrollment via PowerShell manual scripting

This hands-on approach lets you automate Intune enrollment for batches of existing Windows 11 devices. Used for devices being set up in batches or via imaging.

📌 Use case: Ideal when you’re redeploying devices already running Windows 10/11, have physical access to the devices, and need to enroll them without Autopilot pre-registration.

Step-by-step procedure:

1. Initiate enrollment:
   • On an enterprise device, open PowerShell (Admin), then run this script:

Start-Process “C:\Windows\System32\DeviceEnroller.exe” -ArgumentList “/c /AutoEnrollMDM”

• • This command silently enrolls the device in Intune using the existing Azure AD credentials.

2. Verify enrollment status:
   • Run this script: $dsreg = dsregcmd /status 
3. Force Azure AD Join (if needed):
   • Run this script: dsregcmd /join 
4. Automate at scale:
   • Deploy these scripts remotely using tools like:
     1. Windows Task Scheduler for local devices, or;
     2. Deployment tools like NinjaOne to automate it domain-wide in your enterprise network.

This uses built-in Windows tools (DeviceEnroller.exe/dsregcmd) to trigger enrollment. It automatically applies your Intune policies/apps after enrollment as well.

Method 2: Manually upload Device Hardware IDs for Autopilot via PowerShell

Capture and register device hardware fingerprints upfront to enable true zero-touch bulk enrollment in Intune for new Windows 11 devices.

📌 Use case: Ideal for receiving new devices directly from the manufacturers. It can prepare out-of-box user experiences (OOBE) without needing IT setup.

Step-by-step procedure:

1. Prepare the environment:
   • On an enterprise device, open PowerShell (Admin), then run this script:

[Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
New-Item -Type Directory -Path “C:\HWID”
strong>Set-Location -Path “C:\HWID”

2. Install script and capture hashes:
   • Run this script to export the hardware hashes (or hardware IDs) of each device to CSV:

$env:Path += “;C:\Program Files\WindowsPowerShell\Scripts”
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv

3. Consolidate and upload the hashes:
   • Manually upload all the CSVs via Intune portal > Devices > Enroll devices > Import (Windows Autopilot).
4. Automate collection:
   • Integrate the script into:
     1. Build pipelines: Run during OS imaging (e.g., MDT/SCCM task sequences).
     2. RMM tools: Use deployment tools like NinjaOne as agent scripts.
     3. First-boot setup: Add to Windows SetupComplete.cmd.

This procedure should bind all hardware hashes to Autopilot, triggering automatic enrollment when users first turn their devices on. It eliminates manual registration per device and can be done at the start, after unboxing the device.

Method 3: Upload Hardware Hashes to Intune directly via PowerShell

This method captures and uploads hardware hashes to Intune without manually handling CSV per device.

📌 Use case: This procedure is ideal for immediately registering individual devices.

Step-by-step procedure:

1. Prepare the environment and install the Autopilot module:
   • On an enterprise device, open PowerShell (Admin), then run this script:

[Net.ServicePointManager]::SecurityProtocol =
[Net.SecurityProtocolType]::Tls12
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutoPilotInfo -Force<

2. Capture hardware hashes:
   • Run this script to export the hardware hashes (or hardware IDs), uploading it automatically to Autopilot: Get-WindowsAutopilotInfo -Online

💡 Note: If prompted, agree to install NuGet from the PSGallery.

After running this command, a Microsoft Entra ID sign-on prompt pops-up. Sign in with an Intune Administrator account.

• After a successful sign-in, the device hashes will automatically upload.

3. Verify the hardware hash uploaded successfully:
   • In the Intune admin center home screen, select Devices in the left-side panel.
     1. Under By platform, select Windows, then follow these steps:
     2. In the Windows devices screen, under Device onboarding, select Enrollment.
     3. In the Enrollment screen, under Windows Autopilot, select Devices.
     4. In the Autopilot devices screen, select Sync in the toolbar.
     5. Wait for the sync to finish, which may take several minutes.

After the sync is completed, the devices will appear in the device list on the Windows Autopilot devices screen in Intune.

Alternative methods to enroll devices in Intune in bulk

For large-scale deployments where PowerShell isn’t feasible, these proven alternatives streamline Azure enrollment of bulk devices in Intune using native Microsoft tools.

📌 Prerequisites: Before starting, make sure you have the following:

• Licenses: Azure AD tenant with Intune/Microsoft Endpoint Manager licenses.
• Permissions: Azure AD Global Admin or Intune Admin rights.
• Tools: Command Prompt and Group Policy with templates configured for MDM
• Optional:
  1. Autopilot: Configured for zero-touch enrollment.
  2. Hybrid Azure AD Join: Requires Azure AD Connect sync and Service Connection Point (SCP).

Alternative option 1: CMD Techniques and dsregcmd in Batch Operations

For quick device checks or simple enrollment triggers across multiple Windows 11 machines, CMD-based scripts offer a lightweight alternative to PowerShell.

📌 Use cases: It is ideal for environments using older RMM tools that prefer batch files. It can also help validate enrollment status on devices without PowerShell access.

Step-by-step procedure:

1. Create your batch file:
   • Open Notepad (Search it in the taskbar below the desktop).
   • Add the command below.
   • Save it and name it according to the action it does.
     1. Ensure file type is set to All files.
2. Create an enrollment status (in bulk) bat:

• • Open Command Prompt (Admin), then run this command:

@echo off
FOR /F %%i IN (C:\Lists\hostnames.txt) DO (
PSEXEC \\%%i dsregcmd /status > \\SERVER\StatusLogs\%%i_status.txt
)

• • This collects Azure AD/Intune status for all devices in your hostname list.

3. Force Azure AD Join:
   • Create Force_Join.bat: dsregcmd /join
   • Deploy remotely via:

PSEXEC @hostnames.txt -u ADMIN_USER -p PASSWORD cmd /c “dsregcmd /join”

4. Trigger Intune enrollment:
   • Run directly on the devices:

start “” “C:\Windows\System32\deviceenroller.exe” /c /AutoEnrollMDM

5. Deploy across the enterprise devices:
   • Deploy the batch files across your domain devices using RMM tools.

Alternative option 2: Group Policy for MDM Auto-Enrollment in Hybrid Environments

Leverage existing Active Directory infrastructure to automate bulk enrollment in Intune for domain-joined Windows 11 devices

📌 Use cases: Ideal for organizations with hybrid Azure AD environments (AD + Azure AD), staging large device fleets during OS deployment, and enforcing org-wide enrollment policies.

Step-by-step procedure:

1. Open the Group Policy Management console:
   • Launch gpmc.msc on your Domain Controller.
2. Navigate to MDM policies:
   • Go to: Computer Configuration > Policies > Administrative Templates > Windows Components > MDM
3. Enable auto-enrollment:
   • Right-click, then select Edit policy:
     1. Enable: Automatic MDM enrollment using default Azure AD credentials.
     2. Set credential type: Device credential
4. Apply and force update:
   • Link policy to the target Organizational Unit (OU).
   • Force immediate update on devices by running this command in Command Prompt (Admin): gpupdate /force
5. Bulk deployment tip:
   • Apply this command during imaging via Command Prompt (Admin):

FOR /F %i IN (device_list.txt) DO psexec \\%i gpupdate /force

⚠️ Things to look out for

This section highlights potential challenges to keep in mind while following this guide.

Key considerations when bulk-enrolling devices in Intune

Automating enrollment at scale requires careful planning. Here’s what to prioritize for seamless bulk enrollment for Windows devices, especially on Windows 11.

Microsoft endpoint access is non-negotiable

Devices must reach critical Microsoft URLs like enterpriseregistration.windows.net and login.microsoftonline.com during setup. Blocked endpoints cause enrollment failures, so always verify connectivity with Test-NetConnection before deployment.

Autopilot relies on hardware hashes

Every device requires a unique hardware hash (captured via Get-WindowsAutoPilotInfo) pre-registered in your tenant. For true zero-touch, upload hashes before devices ship, since Windows 11 devices additionally need TPM 2.0 and Secure Boot enabled.

Dynamic groups automate configurations

Assign policies instantly by creating Azure AD dynamic groups with rules like (device.devicePhysicalIDs -contains “[ZTDId]”). New devices automatically receive apps, compliance policies, and security settings upon enrollment.

How NinjaOne services can enhance bulk enrollment

NinjaOne supercharges the bulk enrollment methods covered in this guide, automating PowerShell and CMD workflows for Windows 11 at scale.

• Deploy Your Scripts Remotely: Push the exact PowerShell/CMD scripts from Methods 1-3 to thousands of devices with no manual runs needed.
• Schedule & Monitor Key Tasks:
  • Automate: Autopilot hash collection (Method 2), dsregcmd status checks (Method 1), and syncs (Method 3) with real-time success/failure reports.
• Instantly Identify Gaps: See which devices failed to enroll, lack TPM 2.0, or exceed DEM accounts’ limit.
• Auto-remediate issues: Trigger fixes like re-running DeviceEnroller.exe, forcing Azure AD joins, and alerting for hash mismatches.

Make bulk device enrollment in Intune more efficient with PowerShell

Bulk enrollment for Windows devices turns device chaos into automated precision. You now have the keys to automate enrollment via PowerShell scripts, scale securely with DEM accounts and dynamic groups, and deploy confidently from 20 to 20,000 Windows 10/11 devices. Transform hours of manual setup into minutes.

Related topics

• How to Register Azure Devices into Intune
• How to Add a Corporate Device to Intune Device Management
• How to Add a BYOD Device to Intune Device Management
• How to Deploy Applications Using Microsoft Intune Admin Center