When Intune Auto-Enroll Fails — And WHfB Magically Fixes It

Introduction

You’d think that Intune auto-enrollment would be predictable. This week, I built a fresh Windows 11 VM, applied the usual GPO settings, and expected it to slide right into compliance. But instead of enrolling, the device just sat there. No obvious errors, no status change… just refusing to cooperate.

After retracing my steps, testing registry tweaks, and trying almost everything else I could possibly find on the subject, I ended up enabling Windows Hello for Business — mostly out of curiosity. That’s when everything clicked. Suddenly, the device enrolled, compliance kicked in, and voilà — the “Access work or school” > “Info” sync option finally showed up.

This post documents that journey — not just as a troubleshooting log, but as a case study in how so-called “optional” features like WHfB can unexpectedly become critical in your lab environment. If you're running into strange auto-enrollment issues, this might be the clue you didn’t know you needed.

Lab Setup

• Platform: Windows 11 VM hosted on Hyper-V

• Domain Context: Joined to on-prem AD with Azure AD Connect syncing; hybrid join confirmed

• Policy Applied: Group Policy enabling automatic MDM enrollment via user credentials

• Expectation: Device should enroll in Intune after login

• Outcome: No enrollment. No sync button. No errors.

Troubleshooting Steps

Before WHfB entered the picture, I tried nearly everything:

• Verified hybrid join status via dsregcmd /status

• Confirmed GPOs were applying correctly

• Cleared MDM-related registry keys under HKLM\SOFTWARE\Microsoft\Enrollments

  

• Rebooted multiple times

• Ran mdmdiagnosticstool.exe -area Enrollment -cab and reviewed the logs

Still, the device wouldn’t enroll.

Windows Hello for Business: The Unexpected Fix

Eventually, I enabled Windows Hello for Business — just a basic PIN setup. I didn’t expect much. But immediately after configuring WHfB:

• The device enrolled in Intune

• Compliance policies began applying

• The long-lost “Info” button in the “Access work or school” settings appeared

Something in the token or credential flow had changed.

Why WHfB Might Matter More Than You Think

WHfB is typically framed as a passwordless security feature. But in hybrid or cloud-joined setups, it can affect the authentication context used for token generation — a critical piece of MDM enrollment.

Without WHfB, the device may lack sufficient context to initiate enrollment. Microsoft’s documentation doesn’t make this dependency clear, but in practice, enabling WHfB can resolve silent failures in scenarios like mine.

Helpful Commands and Registry Paths

Commands to Run

• dsregcmd /status – Confirms Azure AD join and token status

• mdmdiagnosticstool.exe -area Enrollment -cab – Generates diagnostic output

Registry Locations to Check

• HKLM\SOFTWARE\Microsoft\Enrollments

• HKLM\SOFTWARE\Microsoft\PolicyManager\current\device

GPO to Review

• Policy: Enable automatic MDM enrollment using user credentials

• Confirm it's applied under the correct scope and timing

Conclusion

This experience was a reminder of why lab testing matters — not every deployment scenario goes exactly the way you would hope. WHfB, while technically optional, played a key role in enabling successful auto-enrollment in this Hyper-V VM. If you’re seeing similar issues, try setting up Windows Hello — it may be the silent key that unlocks your workflow.

And if you've encountered other unexpected Intune or hybrid join behaviors, share them — the more we surface these edge cases, the better we can guide others through the maze.