This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(240, 55.00000000000001%, 33%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EJL%3C/text%3E%3C/svg%3E)
I recently upgraded out 365 licenses to allow for auto enrollment. My users have been on Microsoft 365 for a while now.
The devices do not auto enroll. I was told that this is because the accounts are already in Azure AD.
How do I set the devices to enroll w/o having to touch every workstation or interrupt the users connectivity?
I am hoping there is a way to do this through the control panel or a simple process.
Thanks in advance.
Registering devices with Intune for management and policy enforcement
If the Windows endpoints are already joined to AAD, then there is no supported path to automatically enroll them into Intune without resetting them. A local admin will have to initiate this on each endpoint manually.
So, just remove the account and re-add it on each workstation?
Someone mentioned adding the company portal app. Do you think that would work?
Sorry, not sure what exactly you mean when you say "the account". What "account" are you talking about and where do you want to remove or add it?
Are you sure the devices are joined to AAD and not just registered? Registration is a BYOD scenario for Windows. See https://support.microsoft.com/en-us/account-billing/join-your-work-device-to-your-work-or-school-network-ef4d6adb-5095-4e51-829e-5457430f3973 for steps on joining an existing (or new) device to AAD.
Yes, you can absolutely install the Company Portal and manually enroll in Intune from there. This is not automated in any way and requires that the user that does this is a local admin as noted.
Sorry... they are registered, not joined.
When I register a new account, it does add the device to Intune.
Existing registered devices do not auto enroll.
I am looking for the best process to auto enroll my existing devices in Intune.
I do not provide my users with admin permissions.
When I mentioned "Accounts"... on the workstation... Settings... Accounts... Access Work or School... The users MS 365 accounts are already there.
@Joshua Lance Thanks for posting in our Q&A.
For this issue, to avoid any misunderstanding, we appreciate your help to collect some information:
If there is anything update, feel free to let us know.
If the answer is the right solution, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Looks like the comment from Jason illustrates my issue. The workstations have already established their connection to AAD for MS Office and email. Since they have already established their connection, they do not auto enroll in Intune. When I add a new computer and authenticate the MS Office license, they do enroll automatically. It sounds like I need to go to settings... Accounts... Access Work or School and remove the account and then re-add it to enroll.
I am hoping that there is another way as this is disruptive and time consuming.
I read somewhere that adding the company portal app can resolve this issue but I have no clarification as to what that is.
It sounds like I need to go to settings... Accounts... Access Work or School and remove the account and then re-add it to enroll.
I strongly suggest not doing this. As noted in my other answer here, this will register the endpoint in AAD and not join it and registering is meant as a BYOD scenario.
Are the devices currently joined to an on-prem AD domain?
Thanks for the response Jason. Yes, we have an on-prem AD domain. We are not syncing with AAD though.
All our workstations are already registered with AAD.
You mentioned resetting them. What are your steps for resetting them?
I assumed it was removing the account on the workstations and adding it back in... Not removing the local domain account... Just the MS365 account.
If there is another process to "resetting" the account, please let me know.
Yes, we have an on-prem AD domain.
This changes the story and path forward. For existing devices joined to you on-prem AD, you should 100% enable hybrid AAD join: https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join. Just to restate and reinforce, AAD registration is a BYOD scenario and not meant for use on corporate owned Windows endpoints.
Once you enable HAADJ, you can use group policy to automatically enroll the Windows endpoints in Intune. This is well covered in the official docs: https://learn.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy
I assumed it was removing the account on the workstations and adding it back in.
Same question as above, what do you mean by "the account"? Doman join and registration have nothing to do with adding an account to devices so totally not following what this even means. None of this has anything to do with resetting accounts either.
I assumed it was removing the account on the workstations and adding it back in
Registration and domain has nothing to do with adding an account on a device. Registration and join means registering or joining the device to AAD. Registration is associating the AAD account to the device (it's not adding it in any way really), but once again, this is a BYOD scenario and should not be considered for a corporate owned device. Also, M365 does not have accounts, they are AAD accounts. And as noted in my other reply, none of this is about resetting an account anywhere.
I apreciate that my terms do not comply with the proper language here...
I do not currently have a Hybrid environment. The accounts are managed seperatley.
The AD user accounts are managed on our Domain Controllers and the Microsoft Accounts (AAD accounts) are manage on the Microsoft portal.
At this point, to add a device to Intune, it would require the user be a member of the local admin group. This is not an option for us.
If I need to establish a hybrid configuration to use group policies, I can do that.
Using the command dsregcmd /status, I see that the host is not joined to AAD. This makes sense as I am not setup with the hybrid configuration.
So, long story short... Sounds like I need to move to the hybrid solution.
If you have any documentation on how to do this w/o impacting the user's experience, I would apreciate that.
If I need to establish a hybrid configuration to use group policies, I can do that.
Group Policy is now effectively legacy and you should begin planning to fully embrace policy management and enforcement using Intune. As noted, hybrid Azure AD join can be the first step on your journey to this and cloud-native: aka.ms/cloudnativeendpoints
If you have any documentation on how to do this w/o impacting the user's experience, I would apreciate that.
Already linked to that (https://learn.microsoft.com/en-us/azure/active-directory/devices/howto-hybrid-azure-ad-join). There is no direct or immediate user impact when enabling HAADJ.