Microsoft Endpoint Manager (now called Microsoft Intune) was the previous name for Microsoft’s endpoint management suite. Its unified interface helps simplify remote device and app management across diverse platforms, and its cloud-first approach makes it particularly effective in Windows-centric environments.
This article discusses Microsoft Endpoint Manager, core services, how to enroll your devices, and troubleshooting tips.
How to enroll and manage devices in Microsoft Endpoint Management or Intune
Understand what works best to optimize your process. Before selecting a method, carefully consider your goals, technical constraints, and scope.
📌 Prerequisites:
- Administrator privileges (Intune Administrator, Global Admin, or Endpoint Security Manager)
- Microsoft 365 tenant with MEM-eligible licenses (Microsoft 365 Business Premium, EMS, or Microsoft 365 E3/E5)
- Access to Microsoft Endpoint Manager Admin Center (https://www.endpoint.microsoft.com)
- Familiarity with PowerShell, GPO, registry editing, and Windows system management
- Devices with internet access to Microsoft endpoints and zero SSL inspections
📌 Recommended deployment strategies:
| Click to Choose a Method | 💻 Best for Individual Users | 💻💻💻 Best for Enterprises |
| How to prepare a device for enrollment via Registry Editor | ✓ | |
| How to troubleshoot enrollment issues with Command Prompt | ✓ | ✓ |
| How to manage and monitor MEM devices with PowerShell | ✓ | ✓ |
| How to automate device enrollment via Group Policy | ✓ |
How to prepare a device for enrollment via Registry Editor
⚠️ Warning: Editing the registry can cause system issues. Create a backup before proceeding.
📌 Use Cases: Prepare a device for MDM/Intune enrollment by optimizing its registry keys.
- Click Win + R, type regedit, and press Ctrl + Shift + Enter.
- Navigate to:
HKEY_LOCAL_MACHINE\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
- If the MDM key is missing, do the following:
- Right-click on the right-hand pane.
- Select New > Key.
- Name the new key “MDM”.
- Double-click MDM.
- If the MDM key is missing, do the following:
- Right-click on the right-hand pane.
- Select New > DWORD (32-bit) value.
- Name the new value AutoEnrollMDM.
- Double-click AutoEnrollMDM.
- To turn on MDM auto-enrollment, type 1 in the Value field.
- Press OK.
- Right-click on the right-hand pane.
- Select New > DWORD (32-bit) value.
- Name the new value UseAADCredentialType.
- Double-click UseAADCredentialType.
- To specify that Microsoft Entra ID (formerly Azure AD) credentials should be used, type 1 in the Value field.
- Press OK.
- Restart the PC or log back in to apply your changes.
How to troubleshoot enrollment issues with Command Prompt
Diagnose Microsoft Entra ID /MEM enrollment issues and manually join devices with a lightweight command-line shell.
📌 Use Cases: Manually trigger the join process to Microsoft Entra ID in hybrid management scenarios.
- Click Win + R, type CMD, and press Ctrl + Shift + Enter.
- To monitor the enrollment process for Microsoft Endpoint Management, run this command:
dsregcmd /status
- Check these sections to review your device’s join status:
- Device state:
- If you see AzureAdJoined: YES, the device is joined to Entra ID.
- If you see DomainJoined: YES, the device is connected to a local/on-premises Active Directory (AD) server.
- If you see EnterpriseJoined: YES, the device is connected to a local/on-premises AD server with Workplace Join.
- User state: If WorkplaceJoined is displayed, the current user is signed in with an Entra ID account.
- MDM URLs: Displays enrollment service links when device enrollment is successful.
- Device state:
- Check these sections to review your device’s join status:
- If your device still isn’t enrolled, run this command to manually start the join process for Microsoft Entra ID:
dsregcmd /join
How to manage and monitor MEM devices with PowerShell
Managing Microsoft Endpoint Manager via PowerShell is done using the official Microsoft Graph API, which lets advanced users access MEM and other Microsoft 365 services programmatically.
📌 Use Cases: Automate MEM policy audits across multiple devices.
📌Prerequisites: Active Intune license and Graph API permissions.
- Click Win + R, type powershell, and press Ctrl + Shift + Enter.
- Run these commands sequentially to install and connect to Microsoft Graph:
Install-Module Microsoft.Graph -Scope CurrentUser
Connect-MgGraph -Scopes "DeviceManagementManagedDevices.Read.All"
- Run this command to list the devices you’ve enrolled in Microsoft Endpoint Manager:
Get-MgDeviceManagementManagedDevice
- Run this command to manually trigger MDM enrollment.
Start-Process "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/c /AutoEnrollMDM"
- Run this command to monitor enrolled devices that deviate from established policies.
Get-MgDeviceManagementManagedDeviceCompliance
How to automate device enrollment via Group Policy
📌 Use Cases: A company with a hybrid infrastructure (domain-joined and Microsoft Entra ID-registered) needs to auto-enroll devices into Microsoft Intune.
📌 Prerequisites: Microsoft Entra ID and a Service Connection Point (SCP) published in AD.
- Click Win + R, type gpedit.msc, and press Ctrl + Shift + Enter.
- Navigate to:
Computer Configuration > Administrative Templates > Windows Components > MDM
- Scroll down and double-click Enable automatic MDM enrollment using default Azure AD credentials.
- Enable the policy.
- Choose Device Credential for device-level enrollment.
- Choose User Credential to auto-enroll a user’s device when they sign into it with Entra credentials (e.g., when they add a work account to a personal device).
MEM core components
- Microsoft Intune service– Cloud-based mobile device management (MDM) and mobile application management (MAM)
- Configuration Manager (ConfigMgr/SCCM) – On-premises infrastructure for device management via Group Policy Objects (GPO) and AD
- Co-Management – Combines Intune’s cloud features and ConfigMgr for hybrid management
- Windows Autopilot – Simplifies device lifecycle management through the cloud
- Endpoint Analytics – Cloud-native health and performance monitoring for client devices
- Microsoft Defender for Endpoint – Built-in cybersecurity to strengthen security posture
When to use MEM for your MSP and enterprise needs
Centralized management of BYOD and corporate endpoints
MEM integrates with Azure Active Directory to monitor BYODs/company-owned endpoints for policy drift.
Automated software deployment and policy enforcement
You can deploy important work-related apps through MEM to make tools readily available at scale.
Conditional Access enforcement based on device compliance
MEM works with Azure AD Conditional Access to selectively screen devices for policy compliance before allowing access to your organization’s resources.
App protection policies (APP) for data loss prevention on mobile devices
Managed work apps and common user features (e.g., copy-paste) can be further managed to ensure your company data stays secure 24/7.
Self-service device provisioning through Autopilot
Conveniently provision devices when they are booted up for the first time to make onboarding faster than ever.
Policy-driven BitLocker and Defender enforcement
Windows-owned drive encryption features are also deployable through MEM to suit your policy’s security needs.
⚠️ Things to look out for
| Risks | Potential Consequences | Reversals |
| Running /join on an already joined/misconfigured device | Duplicated entries in Microsoft Entra ID and enrollment errors | Run dsregcmd /leave to unjoin, then re-enroll problematic devices |
| Not having proper Graph API permissions | Unauthorized changes and policy misapplication | Revoke Graph API tokens, run an audit, and revert changes via Intune/PowerShell |
| Accidentally configuring another device group for auto-enrollment | Devices enroll with incorrect credentials | Revert GPO settings and force a policy update (gpupdate /force) |
Important considerations for Microsoft Endpoint Manager
Evaluate Microsoft Intune’s most important features to optimize preexisting support systems for fast enrollments and centralized control.
Co-management
Microsoft Endpoint Manager supports co-management, which empowers your enterprise to simultaneously manage devices with both on-site Configuration Manager and cloud-based Intune solutions.
According to Microsoft Learn, this solution can also jumpstart your migration to the cloud, easing the load on physical servers.
Policy sets
Intune enables IT experts to create deployable policy blueprints and configuration bundles that easily allow you to repeatedly onboard users and devices from numerous departments. Leverage this feature in your provisioning efforts.
Security baselines
MEM comes with pre-configured, CIS-like security settings vetted by Microsoft’s security teams, offering additional cyber safety. Discern how they mesh with your organization’s endpoint protection policies for total cohesion.
Reporting
Endpoint Analytics and Graph API act as supplementary audit services under Microsoft Endpoint Manager. Consider their performance monitoring features to make your compliance reports comprehensive.
Troubleshooting Microsoft Endpoint Manager or Intune
MEM not detecting devices
A device has to be licensed and joined to Entra ID to be detected by MEM. If Microsoft Endpoint Manager can’t detect any of your endpoints, head to the Microsoft 365 admin center to check their licenses and verify their AD join status by running dsregcmd /status.
Intune enrollment fails
Blocked Intune enrollments are typically caused by conflicting registry settings and/or a bad Service Connection Point (SCP) in hybrid environments. Verify your SCP configuration in Active Directory and review the relevant keys under:
HKLM\SOFTWARE\Policies\Microsoft\Windows\CurrentVersion\MDM
Endpoint Analytics missing
If Endpoint Analytics isn’t being displayed, turn on Endpoint Analytics data collection in the MEM admin center and check if the device runs a supported OS version. For accuracy and compatibility, Endpoint Analytics relies on specific telemetry services available in modern Windows versions.
Policy not applying
If a device isn’t adapting to your policies, inspect its compliance status via Microsoft Graph PowerShell cmdlets (e.g., Connect-MgGraph -Scopes “DeviceManagementConfiguration.Read.All”
Get-MgDeviceManagementConfigurationPolicyAssignment).
If that doesn’t work, open the Intune admin center and do the following:
- Navigate to Troubleshooting + support > Troubleshoot.
- Select the affected user.
- Review device health, assigned policies, and compliance status.
NinjaOne services can optimize Microsoft endpoint management
NinjaOne enhances the Microsoft Endpoint Manager experience by providing valuable insight into endpoints outside of MEM’s scope – on Windows, Linux, iOS, iPadOS, Android, and macOS.
NinjaOne RMM also automates script-based configurations to simplify MEM enrollment for a faster, hands-free approach.
Whether it’s proactive drift detection or report creation for enrolled and non-enrolled devices, supplementing your IT toolkit with NinjaOne’s flexible solutions facilitates Microsoft endpoint management across your digital workspace.
Enhance Microsoft Endpoint Manager with automated solutions
Microsoft Endpoint Manager gives you the reins to configure, monitor, and secure enrolled devices in your network. However, the methods used can be risky, so exercise caution, test often, and always prepare a backup.
With that in mind, system admins can also automate the hardest aspects of MEM setups with modern endpoint solutions that drive employee productivity from a single pane of glass.
Related topics:
