This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(6.4, 93%, 10%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EUA%3C/text%3E%3C/svg%3E)
We've configured a Group Policy to automatically enroll our devices in Intune. We have 9,000 Intune licenses and aim to onboard 8,000 devices. However, we're facing an issue where only 200 devices have been successfully enrolled so far.
To troubleshoot this, we've done a Dsreg cmd and the devices are hybrid joinde. we've also investigated the logs in Event Viewer on some of the affected devices and confirmed that the necessary discovery URLs are accessible on our network. Despite these efforts, the majority of our devices remain unenrolled.
We're seeking assistance to identify the root cause of this low enrollment rate and implement a solution to ensure the successful enrollment of the remaining devices.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(185.6, 61%, 27%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EXM%3C/text%3E%3C/svg%3E)
@Usman Abdullahi Thanks for posting in our Q&A.
For this issue, we appreciate your help to collect some information:
1.Did these devices that not successfully enrolled to Intune show "Microsoft Entra hybrid joined" in Entra ID portal?
2.In addition, please refer to the following link to verify the configurations.
If there is anything update, feel free to let us know.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
Thank you for your response.
@Usman Abdullahi Thanks for your update.
Based on my understanding, when you use Microsoft Entra Connect to sync something to Entra ID, it is also needed to sync some local AD users to Entra ID. Please check if some users' "on-premises sync enabled" shows "Yes" under Users in Microsoft Entra portal. If yes, please assign Intune license to these users and use these users to sign in devices to trigger enrollment.
Thank you for taking time to respond to me.
All users are licensed for intune, both the synced users and the cloud created users. As at yesterday, only 4 devices have been added to the number of enrolled devices.
I think the enrollment is happening but 204 out of 6k is just too slow.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(22.400000000000002, 61%, 12%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERT%3C/text%3E%3C/svg%3E)
Hi Usman,
Please check if the MDM user scope is set to all or include the relevant users/groups:
Ensure MAM user scope is set to None, as it can conflict with MDM enrollment.
Please refer - https://learn.microsoft.com/en-us/mem/intune-service/enrollment/windows-enroll#enable-windows-automatic-enrollment
Hope it can help you.
If the answer is helpful, please click "Accept Answer" and kindly upvote it. If you have extra questions about this answer, please click "Comment".
Hi Reny, thank you for providing a response. The user scope is set to all, The group policy has been linked to all the computers and the the OUs have also been selected on Entra connect as well.
At first, for some of the onboarded devices, when we run the DSREG cmd, the discovery url wasn't populating, so we allowed the url on the firewall and a number of those devices could enroll.