![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(166.4, 26%, 26%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EMG%3C/text%3E%3C/svg%3E)
Microsoft Security | Intune | Enrollment
Registering devices with Intune for management and policy enforcement
Use the Access work or school enrollment path instead of looking for the legacy Enroll only in device management option, and verify that automatic MDM enrollment is correctly configured for the user.
Key points based on the scenario:
- Manual enrollment path on the device
On Windows 11 Pro, the supported user-driven enrollment for Intune is:- Open Settings > Accounts.
- Select Access work or school.
- Select Connect.
- Sign in with the user’s work account (UPN, for example
******@contoso.com). - Complete the wizard until the You’re all set! screen appears, then select Done.
- Confirm the work account is listed under Access work or school.
- Confirm the correct enrollment model
For user/BYOD or org-owned devices, Intune recommends:- Use Settings > Accounts > Access work or school > Connect to register or join the device to Microsoft Entra ID, which then drives Intune enrollment.
- Avoid the Enroll only in device management (MDM-only) option, as it does not register the device in Microsoft Entra ID and is not recommended for Intune.
- Fix missing MDM URL (no auto-enrollment)
dsregcmd /statusshowingAzureAdJoined: YESbut an emptyMDMUrlindicates that automatic MDM enrollment is not configured or not applying to this user/device. Verify the following in the tenant:- Intune license
Ensure the user has a valid Intune license assigned. - Automatic MDM enrollment settings
In Microsoft Entra ID / Intune configuration:- MDM user scope must be set to All (or at least include this user).
- MAM user scope should be set to None, otherwise it can take precedence and block MDM enrollment.
- MDM discovery URL must be set to
https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc.
- Device OS and join state
- Confirm the device is on a supported version (Windows 10 1709+ or Windows 11).
- For Group Policy–based auto-enrollment, the device must be Microsoft Entra hybrid joined (
AzureAdJoined: YES,DomainJoined: YES, andAzureAdPrt: YESindsregcmd /status).
- Intune license
- If using Group Policy–based auto-enrollment
If the device is domain-joined and should auto-enroll via GPO:- Configure the Enable automatic MDM enrollment using default Microsoft Entra credentials Group Policy in on-premises AD and apply it to the device.
- After Group Policy refresh and sign-in with the domain account, the scheduled task under Task Scheduler > Microsoft > Windows > EnterpriseMgmt should run and enroll the device.
- If it still fails, use the Intune auto-enrollment troubleshooting guidance and check the DeviceManagement-Enterprise-Diagnostics-Provider logs for specific error codes.
- Confirm enrollment in Intune
After fixing the MDM scope and re-running the join/enrollment flow:- Sign in to the Intune admin center.
- Go to Devices > All devices and verify that the device appears as enrolled.
If the device is already Microsoft Entra joined but not enrolling, the usual resolution is to correct the MDM user scope / MAM scope / discovery URL, ensure licensing, then disconnect the work account, reboot, and re-join via Access work or school > Connect so that the MDM enrollment is triggered with the corrected configuration.
References:
- Step 5 - Enroll a Windows device in Microsoft Intune
- Enrollment guide: Enroll Windows client devices in Microsoft Intune
- Troubleshooting Windows 10 Group Policy-based auto-enrollment in Intune
- Troubleshooting Windows device enrollment errors in Intune
- MDM enrollment of Windows devices
- Enroll Windows devices in Intune