This browser is no longer supported.
Upgrade to Microsoft Edge to take advantage of the latest features, security updates, and technical support.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(313.6, 14.000000000000002%, 40%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EY%3C/text%3E%3C/svg%3E)
Hi everyone,
I would like to use just a DEM account to enroll the devices and prevent any user to perform the enrollment.
I have created a DEM account and set up into MEM.
In AAD should I:
OR
Thanks you in advance for your help,
Regards.
@Yop Thanks for your explain.
I have done the test in my lab. It seems we can use DEM account to enroll the device during OOBE. The following are the steps as a reference:
1.Add a DEM account in intune portal.
2.Use the DEM account to login the device.
3.Check if the device is enrolled in intune. And I can see the device in intune portal.
Based on the test, I think we can use the DEM account to enroll devices during OOBE.
Hope it will help.
If the response is helpful, please click "Accept Answer" and upvote it.
Note: Please follow the steps in our documentation to enable e-mail notifications if you want to receive the related email notification for this thread.
@Yop I am currently standing by for further update from you and would like to know how things are going. If you have any questions or concerns on the recent information I've provided you, please don't hesitate to let me know.
Are these newly provisioned systems? If not, are you going to manually log into every system to do this?
Are the systems currently joined to an on-prem AD (if already provisioned)?
Also, using a DEM account has some restrictions and is not intended for single-user systems.
@Yop Thanks for posting in our Q&A.
For this issue, the MDM user scope in "Microsoft Intune" is configured to automatic MDM enrollment. Don't change the settings in "Microsoft Intune Enrollment" and keep it as the default.
https://learn.microsoft.com/en-us/mem/intune/enrollment/windows-enroll#configure-automatic-mdm-enrollment
When we add the group included the DEM account to the MDM scope in "Microsoft Intune", we can auto-enroll the devices via DEM account. And it is suggested to try to block personal devices in Device type restrictions.
For restrictions with DEM that Jason said, I just add a link that lists the limitations:
https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll#limitations-of-devices-that-are-enrolled-with-a-dem-account
Hope the above information will help.
Dear Both,
I would like to thank you for your reply.
Please note that:
We do not want the machines to be linked specifically to the personal account of the user who enrolled the machine (if the person leaves the company, the account will be disabled and Intune license "recycled" we will loose the bound with the machine in Intune).
We also do not want the personnal machines to be enrolled.
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(86.4, 66%, 18%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ENH%3C/text%3E%3C/svg%3E)
Have you looked at using Autopilot and self-deploying mode then? https://learn.microsoft.com/en-us/mem/autopilot/self-deploying
Hi Nick,
Thanks for your message.
We will need to be able to assign a specific hostname for each machine which does not follow any math or logic.
I agree, maybe it is something we should look into in in the future but not for now as it would require to change too much thing from an IT and Service Management perspective.
Thanks again,
Regards,
Hervé
Dear @Jason Sandys , @Lu Dai-MSFT and @Nick Hogarth ,
I would like to thank you for your help and apologize for my late reply.
I have done the following:
So, the accounts the DEM group can auto enroll the machines in MEM during OOBE and no other user account can join/enroll a machine.
Thanks again for your help,
Kind regards