Forum Discussion

Ankido88's avatar
Ankido88
Copper Contributor
Apr 08, 2026

Hybrid Azure AD joined device not enrolling into Intune

    Issue A Windows device successfully registers in Entra ID (Hybrid Azure AD join) but never enrolls into Intune. Result: Device appears in Entra ID Device does not appear in Intune Intune ...
Intune
Ankido88's avatar
Ankido88
Copper Contributor
Apr 10, 2026

Hi,

Thanks for the detailed explanation. I’ve already gone through all the points you mentioned:

•MDM User Scope is correctly configured and includes the user.

•The Automatic MDM enrollment GPO (Enable automatic MDM enrollment using default Azure AD credentials) is applied to the correct OU.

•Licensing is verified – the user has a valid Intune license.

•Conditional Access:

 •I’ve excluded both the user and Microsoft Intune Enrollment from the CA policy that blocks device registration outside the network.

 •Even with these exclusions, the device still fails to enroll into Intune.

•Hybrid Azure AD Join status from dsregcmd /status looks correct.

 

In addition to the above, I’ve noticed:

•The Intune Management Extension (IME) service cannot be found on the device — there is no trace of the service at all.

•The GPO folders under C:\ProgramData\Microsoft\Windows\GroupPolicy\User appear completely empty, even though relevant GPOs should be applied.

Despite all this, the device becomes Hybrid Azure AD Joined but never proceeds with the Intune enrollment, and the logs still show EnrollmentUrl = (null).

Do you have any additional suggestions on what else I should check?

DerekMorgan2's avatar
DerekMorgan2
Brass Contributor
Apr 13, 2026

Ankido88​ thanks for the thorough write-up — you’ve already covered most of the usual Intune-side checks. Given the device is hybrid joined but stays SCCM-only and EnrollmentUrl = (null) shows up in CoManagementHandler.log, I’d focus on quickly proving whether the co-management enrollment trigger is firing (and whether anything is quietly blocking it).

If you’re willing to share a couple redacted screenshots/snippets, these questions usually pinpoint it fast:

  1. In MECM co-management settings, is auto-enrollment set to Pilot or All — and if Pilot, what exact “Intune Auto Enrollment” device collection is selected?
    (Just to confirm the device is actually being targeted by the mechanism that initiates enrollment.)
  2. On the client, do you see the scheduled task that runs DeviceEnroller.exe /c /AutoEnrollMDM, and what’s the last run result? (Screenshot ok.)
    (That task is the “moment of truth” in co-management — it tells us if enrollment is being attempted at all.)
  3. In Intune Enrollment Restrictions → Device platform restrictions, what does the Default policy show for Windows (MDM)? (Screenshot ok.)
    (This is a sneaky one: co-management enrollments can be impacted by the Default restriction even when other allow policies exist.)
  4. If you check Entra sign-in logs around an enrollment attempt, do you see any failures for “Microsoft Intune Enrollment”? (Redacted screenshot ok.)
    (This is the fastest way to rule Conditional Access in/out without guessing.)

If you can post the collection selection + the scheduled task result (and optionally the Intune Default restriction screenshot), we can narrow this to “targeting/policy,” “trigger not running,” or “blocked at the tenant edge” pretty quickly — without assuming anything you’ve done so far was off 👍🏾