Set up automatic enrollment for Windows devices

Applies to

• Windows 10
• Windows 11

Simplify Windows enrollment for you and device users by enabling automatic enrollment in Microsoft Intune. This enrollment method enables devices to enroll automatically when they join or register in your Azure Active Directory.

Automatic enrollment can be used in the following device management and provisioning scenarios:

• Bring-your-own-device (BYOD), personal devices
• Bulk enrollment
• Group Policy
• Windows Autopilot (user driven and self-deploying)
• Co-management with Configuration Manager

This article describes how to enable MDM automatic enrollment for personal and corporate-owned devices.

Prerequisites

• Requires Azure AD Premium or Premium trial subscription for automatic MDM enrollment and custom company branding
• Microsoft Intune subscription
• Global Administrator permissions

Enable Windows automatic enrollment

If you enable MDM automatic enrollment, enrollment in Intune will occur when:

• An Azure AD user adds their work or school account to their personal device.
• A corporate-owned device joins to your Azure AD.

1. Sign in to the Azure portal, and select Azure Active Directory > Mobility (MDM and MAM) > Microsoft Intune.

   

2. Configure MDM User scope. Specify which users' devices should be managed by Microsoft Intune. These Windows 10 devices can automatically enroll for management with Microsoft Intune.

   • None - MDM automatic enrollment disabled

   • Some - Select the Groups that can automatically enroll their Windows 10 devices

   • All - All users can automatically enroll their Windows 10 devices

     Important

     For Windows BYOD devices, the MAM user scope takes precedence if both the MAM user scope and the MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will not be MDM enrolled, and Windows Information Protection (WIP) Policies will be applied if you have configured them.

     If your intent is to enable automatic enrollment for Windows BYOD devices to an MDM: configure the MDM user scope to All (or Some, and specify a group) and configure the MAM user scope to None (or Some, and specify a group – ensuring that users are not members of a group targeted by both MDM and MAM user scopes).

     For corporate devices, the MDM user scope takes precedence if both MDM and MAM user scopes are enabled. The device will get automatically enrolled in the configured MDM.

   Note

   MDM user scope must be set to an Azure AD group that contains user objects.

   

3. Use the default values for the following URLs:

   • MDM Terms of use URL
   • MDM Discovery URL
   • MDM Compliance URL

4. Select Save.

Multifactor authentication

Two-factor authentication is not enabled for automatic enrollment by default. We recommend requiring multifactor authentication during device registration. For more information, see Getting started with the Azure Active Directory Multi-Factor Authentication Server.

Support for device users

The Microsoft Intune user-help docs provide conceptual information, tutorials, and how-to guides for employees and students setting up their devices for work. You can point people directly to the Intune docs, or use these articles as guidance when developing and updating your own device management docs.

Users on personal devices running Windows 11 or Windows 10 can automatically enroll by adding their work or school account on their device, or by using the Intune Company Portal app. Devices running earlier versions of Windows must enroll using the Intune Company Portal app. For more information, see Enroll Windows 10/11 devices.

You can also let unlicensed admins sign in to the Intune admin center to help with troubleshooting and support. For more information, see Unlicensed admins.

Best practices and troubleshooting

• Device users must access the Company Portal website through Microsoft Edge to view Windows apps that you've assigned for specific versions of Windows. Other browsers, including Google Chrome, Mozilla Firefox, and Internet Explorer do not support this type of filtering.

• If you do not have Auto-MDM enrollment enabled, but you have Windows 10/11 devices that have been joined to Azure AD, two records will be visible in the Microsoft Intune admin center after enrollment. You can stop this by making sure that users with Azure AD joined devices go to Accounts > Access work or school and Connect using the same account.

Next steps

For information about how to integrate and use automatic enrollment when provisioning devices, see:

• Tutorial: Use Windows Autopilot to enroll devices in Intune
• Enroll a Windows client device automatically using Group Policy
• Enable co-management in Configuration Manager

If you're not using automatic enrollment as part of your enrollment or provisioning solution, we recommend creating a domain name server (DNS) alias (known as a CNAME record type) that redirects enrollment requests to Intune servers. For more information, see Enable auto-discovery of Intune enrollment server.