When Intune Auto-Enroll Fails — And WHfB Magically Fixes It


Introduction
You’d think that Intune auto-enrollment would be predictable. This week, I built a fresh Windows 11 VM, applied the usual GPO settings, and expected it to slide right into compliance. But instead of enrolling, the device just sat there. No obvious errors, no status change… just refusing to cooperate.
After retracing my steps, testing registry tweaks, and trying almost everything else I could possibly find on the subject, I ended up enabling Windows Hello for Business — mostly out of curiosity. That’s when everything clicked. Suddenly, the device enrolled, compliance kicked in, and voilà — the “Access work or school” > “Info” sync option finally showed up.
This post documents that journey — not just as a troubleshooting log, but as a case study in how so-called “optional” features like WHfB can unexpectedly become critical in your lab environment. If you're running into strange auto-enrollment issues, this might be the clue you didn’t know you needed.
Lab Setup
Platform: Windows 11 VM hosted on Hyper-V
Domain Context: Joined to on-prem AD with Azure AD Connect syncing; hybrid join confirmed
Policy Applied: Group Policy enabling automatic MDM enrollment via user credentials
Expectation: Device should enroll in Intune after login
Outcome: No enrollment. No sync button. No errors.
Troubleshooting Steps
Before WHfB entered the picture, I tried nearly everything:
- Verified hybrid join status via
dsregcmd /status
- Confirmed GPOs were applying correctly
Cleared MDM-related registry keys under
HKLM\SOFTWARE\Microsoft\Enrollments
Rebooted multiple times
Ran
mdmdiagnosticstool.exe -area Enrollment -cab
and reviewed the logs
Still, the device wouldn’t enroll.
Windows Hello for Business: The Unexpected Fix
Eventually, I enabled Windows Hello for Business — just a basic PIN setup. I didn’t expect much. But immediately after configuring WHfB:
The device enrolled in Intune
Compliance policies began applying
The long-lost “Info” button in the “Access work or school” settings appeared
Something in the token or credential flow had changed.
Why WHfB Might Matter More Than You Think
WHfB is typically framed as a passwordless security feature. But in hybrid or cloud-joined setups, it can affect the authentication context used for token generation — a critical piece of MDM enrollment.
Without WHfB, the device may lack sufficient context to initiate enrollment. Microsoft’s documentation doesn’t make this dependency clear, but in practice, enabling WHfB can resolve silent failures in scenarios like mine.
Helpful Commands and Registry Paths
Commands to Run
dsregcmd /status
– Confirms Azure AD join and token statusmdmdiagnosticstool.exe -area Enrollment -cab
– Generates diagnostic output
Registry Locations to Check
HKLM\SOFTWARE\Microsoft\Enrollments
HKLM\SOFTWARE\Microsoft\PolicyManager\current\device
GPO to Review
Policy: Enable automatic MDM enrollment using user credentials
Confirm it's applied under the correct scope and timing
Conclusion
This experience was a reminder of why lab testing matters — not every deployment scenario goes exactly the way you would hope. WHfB, while technically optional, played a key role in enabling successful auto-enrollment in this Hyper-V VM. If you’re seeing similar issues, try setting up Windows Hello — it may be the silent key that unlocks your workflow.
And if you've encountered other unexpected Intune or hybrid join behaviors, share them — the more we surface these edge cases, the better we can guide others through the maze.
Subscribe to my newsletter
Read articles from JMcNairTech directly inside your inbox. Subscribe to the newsletter, and don't miss out.
Written by
