Navigating the complexities of Microsoft-based platforms, IT professionals frequently encounter challenges in Intune enrollment, particularly with domain-joined workstations. This post aims to provide a clear and detailed solution to these issues, building upon the insightful discovery by Chris Barnes and Scott McHenry, both seasoned experts in the field. His methodical approach offers a lifeline for system administrators and IT personnel facing enrollment difficulties in Intune, ensuring a smoother integration of domain-joined PCs into the Intune management ecosystem.
If dsregcmd /status looks good, and it’s showing in Entra ID as Hybrid-joined, the problem may be a local issue that has the potential to impact multiple workstations.

Understanding the Issue

The crux of the problem often lies in the intricacies of Group Policy settings, which can cause conflicts or corruptions, hindering the enrollment process in Intune. Addressing these issues requires a nuanced understanding of Microsoft environments and a strategic approach to system configuration.

The Remediation Process

The following steps provide a guide to resolving these Intune enrollment issues:

  1. Administrative Command Prompt: Log in to the problematic PC using a domain account. Open a command prompt with Administrative rights. This step is crucial for executing system-level commands.
  2. Execute Commands: In the command prompt, run the following commands:
RD /S /Q "$WinDir%\System32\GroupPolicyUsers"
RD /S /Q "$WinDir%\System32\GroupPolicy"
gpupdate /force

These commands remove the Group Policy settings, effectively resetting them. The ‘gpupdate /force’ command refreshes the Group Policy settings and should prompt a system reboot.

  1. Reboot the PC: If the system does not prompt for a reboot, manually restart the PC. This step ensures that all changes are appropriately applied. After rebooting, log back into the PC using a domain account.
  2. Establish your Identity: After login, authenticate the account with multi-factor authentication (MFA) when prompted. If not prompted, open a Microsoft 365 application (like Teams, Outlook, or Excel). After authenticating and completing MFA, you can close the app if desired.
  3. Access Account Settings: In the search box, type “account” and hit Enter. This opens the accounts window in the settings.
  4. Navigate to ‘Access Work or School’: Click on “Access work or school” in the left-hand pane, and then select the AD domain account in the right-hand pane.
  5. Sync the Account: Click the ‘Info’ button under the account and scroll down to find the sync button. Click this button and wait for the account to report back as being successfully synced.
  6. Verification in Intune: After approximately 15 to 30 minutes, check Intune and Entra portals. The PC should now be enrolled successfully.


This methodical approach is designed to address many common challenges faced during Intune enrollment with domain-joined workstations. By resetting Group Policy settings and ensuring proper synchronization, this process aids in overcoming the enrollment hurdles. As always, it’s crucial to ensure that these steps are performed with proper administrative privileges and in compliance with organizational policies and procedures.
For IT professionals and system administrators, especially those overseeing Microsoft-based infrastructures, this guide serves as a valuable tool in maintaining smooth and efficient system management and security protocols.