Forum Discussion
Subsequent device registration in Intune
Hello Tech Community,
We use Entra ID and our devices are fully Entra-joined. Windows 11 devices appear in Entra ID as normal.
We now want to manage our devices with Intune.
However, the devices do not appear in Intune because the MDM user area was initially configured as 'None'.
How can we subsequently move the devices to Intune? Ideally, we would like an automated process to avoid having to move each individual device.
Details:
Windows 11 Devices - Fully Entra-joined
Appear in Entra
No other device management in use
Problem:
Register the devices in intune without manually touch each individual device. Also i don't want to use things like PSRemote.
Thanks for your answers.
BR
Hello,
if anyone else needs this. I did the follwing on every single device:- Opend an cmd via Endpoint Security Software Live Response in System Context
- Executed C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM
- To be secure - opened powershell.exe and set the MDM URLs
$key = 'SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\*'
$keyinfo = Get-Item "HKLM:\$key"
$url = $keyinfo.name
$url = $url.Split("\")[-1]
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\\$url"New-ItemProperty -LiteralPath $path -Name 'MdmEnrollmentUrl' -Value 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmTermsOfUseUrl' -Value 'https://portal.manage.microsoft.com/TermsofUse.aspx' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmComplianceUrl' -Value 'https://portal.manage.microsoft.com/?portalAction=Compliance' -PropertyType String -Force -ea SilentlyContinue; - C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM
- Checkt everything with dsregcmd /status
Now waited 10-15 Minutes. The devices appeared first in Entra with Intune as MDM. Than they appeared in Intune.
It was a lot oft work to execute those commands on every single device. But it was better than opening a Remote maintenance on every dev
3 Replies
Hello,
if anyone else needs this. I did the follwing on every single device:- Opend an cmd via Endpoint Security Software Live Response in System Context
- Executed C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM
- To be secure - opened powershell.exe and set the MDM URLs
$key = 'SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\*'
$keyinfo = Get-Item "HKLM:\$key"
$url = $keyinfo.name
$url = $url.Split("\")[-1]
$path = "HKLM:\SYSTEM\CurrentControlSet\Control\CloudDomainJoin\TenantInfo\\$url"New-ItemProperty -LiteralPath $path -Name 'MdmEnrollmentUrl' -Value 'https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmTermsOfUseUrl' -Value 'https://portal.manage.microsoft.com/TermsofUse.aspx' -PropertyType String -Force -ea SilentlyContinue;
New-ItemProperty -LiteralPath $path -Name 'MdmComplianceUrl' -Value 'https://portal.manage.microsoft.com/?portalAction=Compliance' -PropertyType String -Force -ea SilentlyContinue; - C:\Windows\system32\deviceenroller.exe /c /AutoEnrollMDM
- Checkt everything with dsregcmd /status
Now waited 10-15 Minutes. The devices appeared first in Entra with Intune as MDM. Than they appeared in Intune.
It was a lot oft work to execute those commands on every single device. But it was better than opening a Remote maintenance on every dev
Hy,
so this is one of the most common errors when setting up MDM/Intune initially. I am struggling with a migration to almost the same issue, except in my case the devices are registered and not joined. 🙃
Recommendation, If you have the possibility test it first in a DEV/Test Tenant.
1. Enable Automatic MDM Enrollment
- Update the MDM user scope:
In the Microsoft Entra admin center, navigate to
Devices > Enrollment > Windows enrollment > Automatic Enrollment.
Set the MDM user scope to All (recommended for automation) or to a security group containing your users.
2. Assign an Intune License
- Ensure that all users signing into these devices have an appropriate Intune license assigned (e.g., Microsoft 365 E3/E5, EMS E3/E5, or standalone Intune)
Options to trigger enrollment:
1. Local User Action (Manual, but least disruptive)
- On each device, instruct users to:
- Go to Settings > Accounts > Access work or school
- Click their work account, choose Info, and select Sync or Enroll only in device management
(This triggers MDM enrollment without rejoining the device or wiping data)
2. Automated Script or Group Policy
- You can deploy an MDM enrollment Group Policy to all affected devices:
- Use the Group Policy Management Editor:
- Navigate to:
Computer Configuration > Policies > Administrative Templates > Windows Components > MDM - Enable the policy:
Enable automatic MDM enrollment using default Azure AD credentials - Set Device Credential and target it at the appropriate devices.
- Navigate to:
- Use the Group Policy Management Editor:
FYI
There is no Microsoft-supported “bulk retroactive auto-enrollment” button for previously Entra-joined devices. All automated options use either a user-side action or a domain-wide Group Policy to trigger MDM enrollment post-facto.
Good luck!
Bogdan_Guinea
Hello,thanks for your reply. I already know the points you mentioned. Unfortunately my colleagues don't know this. Now i have to correct the settings. With hundreds of costumer tenants and devices it woult be a lot of work.
Do you if it is possible to register a device in intune, when i have access to cmd or ps of a device with system context?
I know the following opportunities:- Entra Join with User
- psexec and
%windir%\system32\deviceenroller.exe /c /AutoEnrollMDM
- dsregcmd /leave /join
- GPO
- Browser: ms-device-enrollment:?mode=mdm
Can i use on of those without use credentials? Only to bring the device to Intune.Thanks.
- Update the MDM user scope:
