Dex

๐Ÿ“ฑ Recipe ยท Intune & Device Management

Verify Intune Enrollment Status of a Windows Device and Trigger Manual Enrollment

Diagnose why a Windows device registered in Entra ID is not yet managed by Intune, and manually trigger MDM auto-enrollment without a full reimage or re-login

Complexity

Intermediate

Impact

Device Management + Intune + Windows + Troubleshooting + MDM Enrollment

Context

Why This Matters

After enabling automatic MDM enrollment in Entra ID (MDM user scope set to All or a specific group), Windows 10/11 devices that are Entra ID joined should enroll into Intune automatically. In practice, there's often a gap: the device shows as AzureAd joined in Entra ID but never appears in the Intune managed devices list.

Common causes include:

  • The scheduled auto-enrollment task hasn't fired yet (can take up to an hour).
  • The user is missing a valid Intune license (e.g., Microsoft 365 Business Premium, E3/E5, or standalone Intune).
  • The device was joined before the MDM scope was set, so the enrollment trigger never ran.
  • Group Policy or a conflicting MDM setting is blocking enrollment.

This recipe walks through how to verify a device's current enrollment state across Entra ID and Intune, then trigger manual enrollment on the device itself.

Expected Outcomes

After completing this recipe you will have:

  • Confirmed whether the target device exists in Entra ID, in Intune, or both.
  • Identified whether the user has an Intune license and whether the device is missing the MDM management agent.
  • Triggered manual auto-enrollment on the device using the Windows Settings UI, deviceenroller.exe, or a scheduled task re-run.
  • Verified the device is now reporting as managed in Intune with a valid compliance state.

Risks & Considerations

Warnings and gotchas

  • Don't unjoin/rejoin as a first step. Disconnecting the work account from Windows can destroy local profiles and BitLocker recovery keys stored only in Entra ID. Always try manual sync first.
  • License required. Auto-enrollment silently fails if the user has no Intune license. Check license assignment before troubleshooting the device.
  • MDM vs MAM scope. Make sure the MDM user scope (not just MAM) is set to All or includes the user's group in Entra ID โ†’ Mobility (MDM and MAM).
  • Hybrid join devices follow a different enrollment path via Group Policy or the "Enable automatic MDM enrollment using default Azure AD credentials" GPO โ€” deviceenroller.exe alone may not be enough.
  • Propagation delay. After a successful enrollment, it can take 5โ€“15 minutes for the device to show up in the Intune portal and Graph API.

Required Permissions

PermissionWhy It's Needed
User.Read.AllResolve the target user's account by display name or UPN
Device.Read.AllRead Entra ID device registration records to check join state and isManaged flag
DeviceManagementManagedDevices.Read.AllQuery Intune to confirm whether the device has enrolled into MDM
Directory.Read.AllList a user's registeredDevices and ownedDevices in Entra ID

The fastest way to get this done โ€” just ask Dex. Copy the prompt below and paste it into your Dex conversation.

For IT Admins

Paste into Dex CoAdmin

Check whether {device_name} (owned by {user}) is managed by Intune. If it's registered in Entra ID but not enrolled in Intune, confirm the user has an Intune license, verify MDM auto-enrollment scope is set correctly, and provide step-by-step instructions to trigger manual enrollment on the device.
Try in Dex CoAdmin

For End Users

How an employee would ask Dex for help

My work laptop isn't showing up as managed by IT even though I signed in with my work account. What do I need to do?
Try in Dex Playground