🖥️ Fixing Hybrid Azure AD Joined Devices That Don’t Auto-Enroll into Intune
You’ve set up Hybrid Azure AD Join, expecting your Windows devices to automatically enroll into Microsoft Intune, but instead, only a few enroll correctly—while the rest refuse to show up in the Intune portal.
If this sounds familiar, you’re not alone. Several admins have faced this exact issue where devices complete the hybrid join but fail to auto-enroll into Intune, leaving no clues in Task Scheduler or Event Viewer. Let’s break down what’s happening and how to fix it.
🔍 The Problem
The devices appear in Microsoft Entra ID as Hybrid Azure AD Joined, but never reach Intune. You open Task Scheduler, expecting to find the MDM enrollment task underMicrosoft > Windows > EnterpriseMgmt,
but it’s missing entirely.
Here’s what’s confirmed working:
- Licensing: ✅ Users have the correct Intune and Azure AD licenses.
- Scope: ✅ MDM user scope set to All Users in Intune.
- GPO: ✅ Configured correctly for MDM auto-enrollment.
- Hybrid Join: ✅ Successful and showing in Azure AD.
Yet, devices still won’t auto-enroll. One or two might work, while the rest fail without warning.
🧠 Step 1: Run Diagnostics
Start by checking the device’s join and MDM status.
Open Command Prompt as Administrator and run:
dsregcmd /status
Scroll to the Device State section.
- If
AzureAdJoined = YESbutMDMUrl = (blank)→ the MDM enrollment never started. - If
Device Stateshows Pending or No, it means the enrollment trigger didn’t fire.
💡 Tip: A working device can help you compare outputs. Look at both the MDM URLs and Join Type for differences.
🧾 Step 2: Check Event Viewer
Head to:
Event Viewer → Applications and Services Logs → Microsoft → Windows → DeviceManagement-Enterprise-Diagnostics-Provider → Admin
Look for event IDs:
- 75 or 76 → MDM Enrollment attempt
- 82 → Enrollment failed
These logs reveal if the device tried (and failed) to connect to the Intune MDM endpoint.
If there are no logs at all, it likely means the scheduled MDM task never triggered—which points to a join or policy delivery problem.
⚙️ Step 3: Verify Group Policy
Check the GPO for MDM Auto Enrollment:
Computer Configuration → Administrative Templates → Windows Components → MDM → Enable automatic MDM enrollment using default Azure AD credentials
Ensure this policy is Enabled and targeted to the correct user group.
If you’ve recently updated GPOs or changed your Intune authority, run:
gpupdate /force
and reboot the device.
🧭 Step 4: Compare with a Working Device
Find one that enrolled successfully and compare:
- Registry:
HKLM\SOFTWARE\Microsoft\Enrollments - Task Scheduler:
Microsoft > Windows > EnterpriseMgmt dsregcmd /statusoutput
You may find missing registry entries or scheduled tasks on the problem devices.
🧰 Step 5: Possible Fixes
| Solution | What It Does |
|---|---|
| Re-run dsregcmd /join | Forces Azure AD re-registration and retriggers MDM enrollment. |
| Clear old enrollment keys | Delete keys under HKLM\SOFTWARE\Microsoft\Enrollments (only if the device isn’t enrolled). |
| Recheck Intune Connector Health | Verify that the Intune Connector for Active Directory (if used) is running and connected. |
| Reboot after GPO sync | A fresh policy pull sometimes recreates the MDM task automatically. |
| Wait and Monitor | If several tenants are seeing the same thing, it could be a temporary Microsoft backend issue—check the Microsoft 365 Service Health Dashboard. |
🗣️ What the Community Says
Several admins in the Reddit thread reported the same pattern:
- Hybrid Join worked fine, but Intune enrollment suddenly stopped for multiple devices.
- One user said only one machine enrolled properly while others stayed unmanaged for days.
- Another suspected a service-side outage, though Microsoft hadn’t posted a related advisory.
This suggests that the issue isn’t always configuration-based—sometimes it’s a temporary backend sync delay between Azure AD and Intune.
✅ Summary
If hybrid-joined devices won’t auto-enroll into Intune:
- Run
dsregcmd /statusto check join state. - Review Event Viewer logs for MDM enrollment attempts.
- Verify the MDM GPO and Intune user scope.
- Compare a working vs failing device.
- Keep an eye on Microsoft’s Service Health page for known issues.
By methodically reviewing join status, GPOs, and scheduled tasks, you can isolate whether the issue is local, policy-based, or service-related.
