Enroll Windows devices using Microsoft Intune
Modern management starts with enrollment. When a Windows device enrolls in Microsoft Intune it becomes a trusted endpoint in your environment. The device receives policies, configuration profiles, apps, and other settings you define. Enrollment also creates a device record in both the Intune admin center and Microsoft Entra ID, giving you visibility into inventory, compliance, and service health.
This unit explains the options for enrolling Windows clients, the requirements for each option, and guidance on choosing the right method for your organization.
Why enrollment matters
Without enrollment you can’t enforce security rules, deploy software, or remotely troubleshoot a device. Enrolled devices are also eligible for conditional access and can be targeted by compliance policies. Enrolling a personal (BYOD) device lets users access corporate resources while keeping personal data private. On corporate devices, enrollment ensures that every machine meets your standards and remains under your control.
Note
Windows 10 reached end of support on October 14 2025. Devices running an unsupported version can still enroll, but feature availability and stability aren’t guaranteed. Stay on Windows 10 1909 or later, or move to Windows 11.
Enrollment requirements
Before you begin, make sure you have:
- Windows 10 version 1809 or later, or Windows 11
- An internet connection
- A Microsoft Entra user account with an Intune license
- Microsoft Entra ID P1 or P2 license for automatic enrollment
- Devices not already joined or registered to another tenant
Also complete the tenant‑level prerequisites described in the Intune enrollment deployment guide.
Windows enrollment options
Intune supports several enrollment paths for Windows clients. Each method affects device ownership, user experience, and the level of control IT enjoys. Choose the one that matches your deployment scenario.
Automatic enrollment
Best for corporate‑owned devices and BYOD when you want consistent onboarding. Automatic enrollment uses the Access work or school feature in Settings or Group Policy for hybrid environments. After you enable automatic enrollment in the Intune admin center, users simply sign in with their work account and the device joins Microsoft Entra ID and enrolls in Intune automatically.
Windows Autopilot
Use Autopilot for zero‑touch provisioning of new devices. After registering device hardware IDs and assigning a deployment profile, the device applies your configuration as soon as it completes the OOBE.
Autopilot modes include user-driven, self-deploying (generally available and ready for production kiosk and shared-device deployments since February 2024), pre-provision (white glove), and existing-device provisioning. Autopilot requires automatic enrollment and an Entra ID P1/P2 license.
Administrator tasks include registering devices, creating and assigning profiles, and installing the Intune Connector for hybrid join if needed. Users simply power on the device and sign in (or nothing at all in self‑deploying mode).
User‑driven enrollment
This manual method is appropriate for existing corporate devices and BYOD scenarios where you don’t have P1/P2 licenses. Users open Settings, navigate to Accounts → Access work or school → Connect, and enter their work credentials. The device joins Entra ID and enrolls in Intune.
Bulk enrollment
For large‑scale or kiosk deployments, create a provisioning package with the Windows Configuration Designer app. Apply it during OOBE or from Settings to enroll multiple devices at once. Alternatively, use the Device Enrollment Manager (DEM) account to enroll up to 1,000 devices per account.
Configuration Manager co‑management
If you already use Configuration Manager, co‑management lets you enroll devices in Intune while still using ConfigMgr for some workloads. Devices must be hybrid joined, and you will enable automatic enrollment from the client.
Choosing a method
Match your choice to three factors:
- Ownership – corporate devices usually use Autopilot or automatic enrollment; personal devices work with user‑driven or automatic enrollment with MAM scope set.
- Scale – manual methods suit pilots; bulk and Autopilot scale to hundreds or thousands of devices.
- User interaction – Autopilot and automatic enrollment minimize clicks; user‑driven and DEM require users or IT to initiate the process.
| Scenario | Recommended method |
|---|---|
| New corporate devices for known users | Windows Autopilot (User-Driven) |
| Existing desktops for remote workers | Windows Autopilot (User-Driven) |
| Prepared devices for the service desk | Windows Autopilot (Self-Deploying) |
| Shared kiosk or conference devices | Autopilot Self-Deploying or bulk provisioning package |
| BYOD | User enrollment |
| Configuration Manager environment | Co‑management |
Warning
Don’t enroll personal devices with full management unless users consent!
After enrollment
Once a device enrolls:
- It appears under Devices → All devices in the Intune admin center.
- Microsoft Entra ID shows the device as registered or joined.
- The device begins syncing policies, apps, and compliance settings.
- Inventory data (OS version, hardware specs, installed apps) collects automatically.
You can verify enrollment locally in Settings > Accounts > Access work or school and trigger a manual sync. In the admin center, review ownership, compliance status, last check‑in, and configuration profiles assigned.
Tip
Enrollment can take a few minutes; some inventory details may not appear for up to eight hours.