Hybrid Azure AD joined device not enrolling into Intune

Hi,

Thanks for the detailed explanation. I’ve already gone through all the points you mentioned:

•MDM User Scope is correctly configured and includes the user.

•The Automatic MDM enrollment GPO (Enable automatic MDM enrollment using default Azure AD credentials) is applied to the correct OU.

•Licensing is verified – the user has a valid Intune license.

•Conditional Access:

 •I’ve excluded both the user and Microsoft Intune Enrollment from the CA policy that blocks device registration outside the network.

 •Even with these exclusions, the device still fails to enroll into Intune.

•Hybrid Azure AD Join status from dsregcmd /status looks correct.

In addition to the above, I’ve noticed:

•The Intune Management Extension (IME) service cannot be found on the device — there is no trace of the service at all.

•The GPO folders under C:\ProgramData\Microsoft\Windows\GroupPolicy\User appear completely empty, even though relevant GPOs should be applied.

Despite all this, the device becomes Hybrid Azure AD Joined but never proceeds with the Intune enrollment, and the logs still show EnrollmentUrl = (null).

Do you have any additional suggestions on what else I should check?

When a Windows device is Hybrid Azure AD joined but does not automatically enroll into Intune, the issue is usually related to the MDM enrollment configuration rather than the join itself. A few key points to check:

MDM User Scope

Ensure the MDM user scope in Intune is set to All or includes the users you expect to enroll.

This setting is found under Microsoft Intune → Device enrollment → Enrollment restrictions → MDM user scope.

Auto-enrollment GPO

Hybrid Azure AD joined devices require the Enable automatic MDM enrollment using default Azure AD credentials Group Policy.

This GPO must be applied to the OU containing your devices. Without it, the device will join Entra ID but never trigger Intune enrollment.

Licensing

Verify the user has a valid Intune license (Microsoft 365 E3/E5 or standalone Intune).

The device will not enroll if the assigned user lacks an Intune license.

Conditional Access Policies

Ensure Conditional Access policies are not blocking the enrollment service.

Excluding “Microsoft Intune Enrollment” from CA is correct, but also confirm no other CA rules are interfering. Co-management prerequisites

If you are using MECM (SCCM) with co-management, confirm that the Co-management configuration is enabled and workloads are set to Intune where needed.

The log entry EnrollmentUrl = (null) typically indicates the auto-enrollment policy is missing or not applied.

Troubleshooting

Run dsregcmd /status on the client to confirm Hybrid Azure AD join status.

Check Event Viewer → Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider for enrollment errors.

Force enrollment with:

deviceenroller.exe /c /AutoEnrollMDM

If this fails, it usually confirms the GPO is not applied.