![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(108.80000000000001, 16%, 20%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3EGD%3C/text%3E%3C/svg%3E)
Microsoft Security | Intune | Enrollment
Registering devices with Intune for management and policy enforcement
![](data:image/svg+xml, %3Csvg xmlns='http://www.w3.org/2000/svg' height='64' class='font-weight-bold' style='font: 600 30.11764705882353px "SegoeUI", Arial' width='64'%3E%3Ccircle fill='hsl(230.39999999999998, 69%, 32%)' cx='32' cy='32' r='32' /%3E%3Ctext x='50%25' y='55%25' dominant-baseline='middle' text-anchor='middle' fill='%23FFF' %3ERJ%3C/text%3E%3C/svg%3E)
Intune licenses are always assigned to users, not to individual enrollments. The account that signs in during OOBE must have an appropriate Intune-eligible license if the device is to be managed by Intune under that user.
Key points from the scenario:
- The deployment account (for example, an IT “staging” account with Business Premium) is used during OOBE/Autopilot.
- The eventual primary user (for example, DEF456 with Business Standard only) receives the device later.
- The device becomes non‑compliant and a forced re‑enrollment is used.
- The goal is to have the device ultimately managed under the end user’s Intune license, not the staging account.
Behavior and licensing requirements:
- Users who are assigned a Cloud PC or Intune-managed device must have an Intune license assigned to them to receive user policies and be properly managed. If the user does not have the correct license, enrollment and policy application can fail with errors such as “Your IT admin hasn’t given you access to use this app” or similar licensing messages.
- If a user signs in and attempts to enroll or use Intune without the correct license, the device can’t be properly enrolled or managed until the correct license is assigned.
- The MDM authority must be correctly set to Intune; otherwise, enrollment and features such as Enrollment Status Page (ESP) will not function correctly.
How to assign or change Intune licenses after deployment:
Licenses can be assigned or changed at any time; they are not permanently tied to the initial enrollment user.
To assign an Intune license to the eventual user (for example, DEF456):
- In the Microsoft Intune admin center, go to Users > All Users.
- Select the target user (for example, DEF456).
- On the user Profile page, select Licenses.
- Select Assignments.
- Find Intune (or a plan that includes Intune), select the checkbox, and select Save.
After this, the user account has permissions to use the service and enroll devices. If the device was previously enrolled under a staging account, the typical pattern is:
- Wipe or reset the device (or perform a forced re‑enrollment as used today).
- Re-enroll the device so that it is joined and enrolled under the correct user identity that already has the Intune license assigned.
This ensures that compliance policies, configuration profiles, and app assignments that are scoped to the end user are applied correctly.
Deployment tips when end-user credentials cannot be used at OOBE:
- Use Windows Autopilot user-driven mode with a dedicated deployment profile:
- Configure a Windows Autopilot deployment profile in Intune with Deployment mode set to User-driven, Join to Microsoft Entra ID as set to Microsoft Entra joined, and User account type set to Standard.
- Assign this profile to the device group so that when the device is reset and goes through OOBE, it is ready for user sign-in and enrollment.
- Use an Enrollment Status Page (ESP):
- Create and assign an ESP so that during OOBE, the device remains on the provisioning screen until all required apps and profiles are installed.
- Configure the ESP to block device use until apps and profiles are installed, and optionally allow reset if installation errors occur.
- BYOD or personal device scenarios (if applicable):
- For personal devices, users can use Settings > Accounts > Access work or school > Connect, then choose Join this device to Azure Active Directory to join the device to Microsoft Entra ID and trigger automatic enrollment into Intune, provided an automatic MDM enrollment policy is configured and the user has an Intune license.
- Ensure MDM authority and enrollment configuration are correct:
- Confirm that the MDM authority is set to Intune. If the tenant is still using the legacy Office 365 MDM authority, features like ESP are not available until the authority is switched to Intune.
- Verify that automatic MDM enrollment is configured correctly and that the MDM discovery URL is set to the Intune default.
In practice, for a “ready-to-go” PC model where end-user credentials are not used at OOBE, the recommended pattern is:
- Pre-register devices in Windows Autopilot and assign them a user-driven Autopilot profile.
- Ship the device to the user.
- Ensure the user has the correct Intune license before first sign-in.
- The user signs in during OOBE with their own account; the device joins Microsoft Entra ID and enrolls into Intune under that user.
If a staging account must be used initially, plan to:
- Assign the Intune license to the final user.
- Wipe/reset the device and re-run OOBE so the final user signs in and becomes the primary user for Intune management.
References: