Редагувати

Поділитися через


Enrollment guide: Enroll Windows client devices in Microsoft Intune

Personal and organization-owned devices can be enrolled in Intune. Once they're enrolled, they receive the policies and profiles you create.

You have the following options when enrolling Windows devices:

This article provides enrollment recommendations and includes an overview of the administrator and user tasks for each option.

There's also a visual guide of the different enrollment options for each platform:

A visual representation of Intune enrollment options by platform
Download PDF version | Download Visio version

Tip

This guide is a living thing. So, be sure to add or update existing tips and guidance you've found helpful.

Before you begin

For all Intune-specific prerequisites and configurations needed to prepare your tenant for enrollment, go to Enrollment guide: Microsoft Intune enrollment.

Windows automatic enrollment

Use for personal and corporate-owned devices running Windows 10 and Windows 11. Microsoft Entra ID P1 or P2 is required with some automatic enrollment options.

Automatic enrollment:

  • Uses the Access school or work feature on the devices (Settings app > Accounts).
  • Uses the enrollment options you configure in the Intune admin center.

You can use this enrollment option to:


Feature Use this enrollment option when
You use Windows client.

Configuration Manager supports Windows Server.
You have Microsoft Entra ID P1 or P2
You'll use Conditional Access (CA) on devices enrolled using bulk enrollment with a provisioning package. ✅ On Windows 11 and Windows 10 1803+, CA is available for Windows devices enrolled using bulk enrollment.

❌ On Windows 10 1709 and older, CA isn't available for Windows devices enrolled using bulk enrollment.
You have remote workers.
Devices are personal or BYOD.

❌ If you use Group Policy, then bulk enrollment and automatic enrollment are for corporate-owned devices, not personal or BYOD.
Devices are owned by the organization or school.
You have new or existing devices.
Need to enroll a few devices, or a large number of devices (bulk enrollment).

Bulk enrollment is for organization-owned devices, not personal or BYOD.
Devices are associated with a single user.
Devices are user-less, like kiosk, dedicated, or shared device.

These devices are organization-owned. This enrollment method requires users to sign in with their organization account. An organization admin can sign in, and automatically enroll. When the device is enrolled, create a kiosk profile, and assign this profile to this device. You can also create a profile for devices shared with many users.
You use the optional device enrollment manager (DEM) account.

❌ DEM accounts don't work with Group Policy.
Devices are managed by another MDM provider.

To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune.

Automatic enrollment administrator tasks

  • Be sure your devices are running Windows 10/11. For a complete list, go to supported device platforms.

  • Optional. Instead of users entering the Intune server name, you can create a CNAME record that's easier to enter, like EnterpriseEnrollment.contoso.com. CNAME records associate a domain name with a specific server. In the Intune admin center, test your CNAME record to make sure it's configured correctly. For more information, go to create a CNAME record.

  • In the Intune admin center, select Windows Enrollment > Automatic Enrollment. In the configuration, you set the MDM user scope and MAM user scope:

    • MDM user scope: When set to Some or All, devices are joined to Microsoft Entra ID, and devices are managed by Intune. It doesn't matter who's signed in to the device, or if devices are personal or BYOD. When set to None, devices aren't joined to Microsoft Entra ID, and aren't managed by Intune.

      For example:

      • If you want to manage the device, then choose Some or All.
      • If you don't want to manage the device, then choose None.
      • If you want to only manage the organization account on the device, then choose None, and configure the MAM user scope.
      • If you want to manage the device and manage the organization account on the device, then choose Some or All, and configure the MAM user scope.
    • MAM user scope: When set to Some or All, the organization account on the device is managed by Intune. Devices are "registered" in Microsoft Entra ID. Devices aren't "joined" to Microsoft Entra ID, and aren't managed by Intune. This option is designed for BYOD or personal devices.

      For example:

      • If you want to manage the organization account on the device, then choose Some or All.
      • If you don't want to manage the organization account on the device, then choose None.
      • If you want to only manage the device, then choose None, and configure the MDM user scope.
      • If you want to manage the device and manage the organization account on the device, then choose Some or All, and configure the MDM user scope.

      For more information on joined devices vs. registered devices, go to:

  • For bulk enrollment, go to the Microsoft Store, and download the Windows Configuration Designer (WCD) app. Configure the Windows Configuration Designer app, and choose to enroll devices in Microsoft Entra ID. A package file is created. Put the package file on a USB drive, or on a network share.

    In the account settings on the device, users sign in with their organization account, and select this package file. Then, users are automatically enrolled.

    If your end users are familiar with running a file from these locations, they can complete the enrollment. For more information, go to automatic bulk enrollment.

  • For automatic enrollments using group policy:

    • Be sure your Windows client devices are supported in Intune, and supported for group policy enrollment.
    • Register your Active Directory in Microsoft Entra ID. For more specific information, go to Microsoft Entra integration with MDM.
    • Be sure your devices are Microsoft Entra hybrid joined devices. The devices must be registered in local AD and in Microsoft Entra ID.
    • In local on-premises AD, create an Enable automatic MDM enrollment using default Microsoft Entra credentials group policy. When group policy is refreshed, this policy is pushed to the devices, and users complete the configuration using their domain account (example: user@contoso.com).

    In the Intune admin center, you can use Group Policy analytics to see your on-premises group policies settings that are supported by cloud MDM providers, including Microsoft Intune.

    Tip

    If you want a cloud native solution to manage devices, then Windows Autopilot (in this article) might be the best enrollment option for your organization.

Automatic enrollment end user tasks

When users turn on the device, the next steps determine how they're enrolled. Clearly communicate the options users should choose on personal and organization-owned devices.

  • Organization-owned devices: Users turn on the device, step through the out-of-box experience (OOBE), and sign in with their work or school account (example: user@contoso.com). This step joins the device in Microsoft Entra ID, and the device is considered organization-owned. The device is fully managed, regardless of who's signed in. Users can open the Settings app and go to Accounts > Access work or school to confirm that their work account is connected.

    If users sign in with a personal account during the OOBE, they can still join the devices to Microsoft Entra ID using the following steps:

    1. Open the Settings app > Accounts > Access work or school > Connect.
    2. In Alternate actions, select Join this device to Azure Active Directory, and enter the information they're asked. This step joins the device to Microsoft Entra ID.

    When joined, the devices show as organization owned. In the Intune admin center, devices show as Microsoft Entra joined. Devices are managed by Intune, regardless of who's signed in.

    Users on devices enrolled using Group Policy are notified that there were configuration changes. The policy refresh can require users to sign in with their work or school account. Device enrollment automatically starts.

  • BYOD or personal devices: Users turn on the device, step through the out-of-box experience (OOBE), and sign in with their personal account. To register the device in Microsoft Entra ID:

    1. Open the Settings app > Accounts > Access work or school > Connect.

    2. In Connect, users choose to enter an Email address, or choose to Join this device to Azure Active Directory:

      • Email address: Users enter their organization email address. They're asked for more information, including the Intune server name or CNAME record. Be sure to give them all the information they need to enter.

        This option registers the device in Microsoft Entra ID. The devices show as personal, and show as Microsoft Entra registered in the Intune admin center. The organization user is managed by Intune; the device isn't managed by Intune.

        If you don't want to manage BYOD or personal devices, users must select Email address, and enter their organization email address.

      • Join this device to Azure Active Directory: Users enter the information they're asked, including their organization email address.

        This option joins the device in Microsoft Entra ID. The devices show as organization owned, and show as Microsoft Entra joined in the Intune admin center. Devices are managed by Intune, regardless of who's signed in.

        If you want to manage BYOD or personal devices, users must select Join this device to Azure Active Directory. Users should also know that their personal devices will be managed by their IT.

    For more information on the end user experience, go to enroll Windows client devices.

  • If using bulk enrollment, and your end users are familiar with running files from a network share or USB drive, they can complete the enrollment. If they're not comfortable with this step, then it's recommended that the admin enrolls.

  • On personal or BYOD non-Windows client devices, users must install the Company Portal app from the Microsoft Store. Once installed, they open the Company Portal app, and sign in with their organization credentials (user@contoso.com). They're asked for more information, including the Intune server name. Be sure to give them all the information they need to enter.

Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.

Windows Autopilot

Use on organization-owned devices running Windows 10/11.

Windows Autopilot uses the Windows client OEM version preinstalled on the device. You don't have to wipe the devices or use custom OS images. Windows Autopilot also requires Automatic enrollment, and uses the Intune admin center to create an enrollment profile. When users sign in with their organization account, they're automatically enrolled.

For more information about Windows Autopilot, go to Windows Autopilot overview or Windows Autopilot scenarios.


Feature Use this enrollment option when
You use Windows client.

Configuration Manager supports Windows Server.
You purchase devices from an OEM that supports the Windows Autopilot deployment service, or from resellers or distributors that are in the Cloud Solution Partners (CSP) program.
Devices are Microsoft Entra hybrid joined.

Microsoft Entra hybrid joined devices are joined to your on-premises Active Directory, and registered with your Microsoft Entra ID. Devices in Microsoft Entra ID are available to Intune. Devices that aren't registered in Microsoft Entra ID aren't available to Intune.

A full Microsoft Entra joined solution might be better for your organization. For more information, go to the Success with remote Windows Autopilot and Microsoft Entra hybrid join blog.
You have remote workers.

The OEM or partner can send devices directly to your users.
Devices are owned by the organization or school.
You have new or existing devices.

You can update existing desktops running older Windows versions, like Windows 7, to Windows 10. This option also uses Microsoft Configuration Manager.
Need to enroll a few devices, or a large number of devices (bulk enrollment).
You have Microsoft Entra ID P1 or P2.

Windows Autopilot uses Automatic enrollment. Automatic enrollment requires Microsoft Entra ID P1 or P2.
Devices are associated with a single user.
Devices are user-less, like kiosk, dedicated, or shared.

These devices are organization-owned. This enrollment method requires users to sign in with their organization account. An organization admin can sign in, and automatically enroll. When the device is enrolled, create a kiosk profile, and assign this profile to this device. You can also create a profile for devices shared with many users.
Devices are personal or BYOD.

Windows Autopilot is only for organization-owned devices. For BYOD or personal devices, use Windows automatic enrollment (in this article) or a User enrollment option (in this article).
Devices are managed by another MDM provider.

To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune.
You use the device enrollment manager (DEM) account.

DEM accounts don't apply to Windows Autopilot.

Windows Autopilot administrator tasks

After the profile is assigned, the devices start showing in the Intune admin center (Devices > By platform > Windows).

Windows Autopilot end user tasks

The end user experience depends on the Windows Autopilot deployment option you chose, like user driven or pre-provision.

  • Self-Deploying mode: No actions. This option doesn't associate a user with the device. Users just turn on the device, and the enrollment automatically starts.

    For more specific information, go to Windows Autopilot self-deploying mode.

  • Pre-provisioning: Users turn on the device, and sign in with their organization or school account. The enrollment automatically starts. Since the device is pre-provisioned by admins, the enrollment is faster compared to User-driven.

    For more specific information, go to pre-provisioned deployment.

  • Existing devices: Your users must do the following steps:

    1. Open the Software Center app, and select Operating systems.

    2. Select Autopilot for existing devices > Install. Content downloads, the drives are formatted, and Windows client OS installs.

      This step can take some time, and users must wait.

    3. Windows Autopilot runs, and users sign in with their organization or school account. The enrollment can automatically start. For more specific information, go to existing devices deployment.

  • User driven: Users turn on the device, and sign in with their organization or school account. The enrollment automatically starts. For more specific information, go to user-driven deployment.

Users typically don't like enrolling themselves, and may not be familiar with the Company Portal app. Be sure to provide guidance, including what information to enter. For some guidance on communicating with your users, see Planning guide: Step 5 - Create a rollout plan.

BYOD: User enrollment

Use for personal or BYOD (bring your own device) and organization-owned devices running Windows 10/11.

User enrollment uses the Settings app > Accounts > Access school or work feature on the devices. There's some overlap with User enrollment and Automatic enrollment.

With User enrollment, you can "register" the devices with Microsoft Entra ID or "join" the devices in Microsoft Entra ID:

  • Register: When you register devices in Microsoft Entra ID, the devices show as personal in the Intune admin center. Users get access to organization resources, like email. This option is common for BYOD or personal devices.
  • Join: When you join devices in Microsoft Entra ID, the devices are fully managed by Intune, and will receive any policies you create. This option is common for organization-owned devices. If users want their personal devices fully managed by Intune (and their organization IT), then they can join their personal devices.

Warning

In the Settings app > Accounts > Access school or work, you might see an Enroll only in device management option. This option doesn't register the device in Microsoft Entra ID. From an Intune perspective, we don't recommend this MDM-only option for BYOD or personal devices. As a result, this guide doesn't include any additional information or guidance.


Feature Use this enrollment option when
You use Windows client.

Configuration Manager supports Windows Server.
Devices are Microsoft Entra hybrid joined.

Microsoft Entra hybrid joined devices are joined to your on-premises Active Directory, and registered with your Microsoft Entra ID. Devices in Microsoft Entra ID are available to Intune. Devices that aren't registered in Microsoft Entra ID aren't available to Intune.

A full Microsoft Entra joined solution might be better for your organization. For more information, go to the Success with remote Windows Autopilot and Microsoft Entra hybrid join blog.
You have Microsoft Entra ID P1 or P2. ❌ Microsoft Entra ID P1 or P2 isn't required.

✅ If the devices join Microsoft Entra ID, then they can use Microsoft Entra ID P1 or P2 features, like Conditional Access.
You have remote workers.

Users should know that their personal devices might be managed by the organization IT.
Devices are personal or BYOD.
Devices are owned by the organization or school.

You can use User enrollment, but it's recommended to use Windows Autopilot (in this article) or Windows Automatic enrollment (in this article). They require fewer steps for your users.
You have new or existing devices.
Need to enroll a few devices, or a large number of devices (bulk enrollment).
Devices are associated with a single user.
Devices are user-less, like kiosk, dedicated, or shared device.

The user enrollment options require a user to sign in with an organization account, and use the Settings app, which isn't common on shared devices.
You use the device enrollment manager (DEM) account.

DEM accounts don't apply to User enrollment.
Devices are managed by another MDM provider. ✅ A device managed by another MDM provider can register in Microsoft Entra ID.

❌ To be fully managed by Intune, users need to unenroll from the current MDM provider, and then enroll in Intune.

User enrollment administrator tasks

Other than having Intune setup, there are minimal administrator tasks with this enrollment method.

  • Be sure your devices are running Windows 10 and newer. For a complete list, go to supported device platforms.

  • Optional. Instead of users entering the Intune server name, you can create a CNAME record that's easier to enter, like EnterpriseEnrollment.contoso.com. CNAME records associate a domain name with a specific server. In the Intune admin center, test your CNAME record to make sure it's configured correctly. For more information, go to create a CNAME record.

  • Decide if users can do organization work on personal devices. On personal devices, users are typically administrators, and used a personal email account (user@outlook.com) to configure the device. To register these devices in Microsoft Entra ID, use the Settings app. As an admin, tell users the options they should choose. Be specific.

    If an Intune Automatic enrollment policy will also deploy, then let users know the impact (MDM user scope vs. MAM user scope (in this article)).

  • If you have existing organization-owned devices and are enrolling them into Intune the first time, then we recommend using Automatic enrollment (in this article).

    Users can use the Settings app > Accounts to Join this device to Azure Active Directory, which joins the device to Microsoft Entra ID. If they do, deploy an Automatic enrollment (in this article) policy to enroll the device in Intune.

  • If you have new organization-owned devices, then we recommend using Windows Autopilot (in this article) or use Automatic enrollment (in this article). In the out-of-box experience (OOBE), users enter their organization account (user@contoso.com). This step registers the devices in Microsoft Entra ID. Deploy an Automatic enrollment (in this article) policy to enroll the device in Intune.

    If users use their personal email account in the OOBE, then the device isn't registered in Microsoft Entra ID, and the Automatic enrollment policy isn't deployed. In this scenario, users use the Settings app to Join this device to Azure Active Directory, which joins the device to Microsoft Entra ID. When the device is joined in Microsoft Entra ID, the Automatic enrollment policy deploys, and enrolls the device in Intune.

User enrollment end user tasks

Clearly communicate the options users should choose on personal and organization-owned devices. For more information on the end user experience, go to enroll Windows client devices.

  • BYOD or personal devices: These devices are probably existing devices that are already configured with a personal email account (user@outlook.com). Users must register the device using the Settings app:

    1. Connect the device to the internet.

    2. Open the Settings app > Accounts > Access work or school > Connect.

    3. In Connect, users choose to enter an Email address, or choose to Join this device to Azure Active Directory:

      • Email address: Users enter their organization email address and password. They're asked for more information, including the Intune server name or CNAME record. Be sure to give them all the information they need to enter.

        This option registers the device in Microsoft Entra ID. The devices show as personal, and show as Microsoft Entra registered in the Intune admin center. The organization user is managed by Intune; the device isn't managed by Intune.

        If you or your users don't want the organization IT to manage BYOD or personal devices, users must select Email address.

      • Join this device to Azure Active Directory: Users enter the information they're asked, including their organization email address and password.

        This option joins the device in Microsoft Entra ID. The devices show as organization owned, and show as Microsoft Entra joined in the Intune admin center. Devices are managed by Intune, regardless of who's signed in.

        If you want to manage BYOD or personal devices, users must select Join this device to Azure Active Directory. Users should also know that their personal devices will be managed by their IT.

  • Organization-owned devices: These devices can be existing devices or new devices. If new devices, users turn on the device, step through the out-of-box experience (OOBE), and sign in with their organization account (user@contoso.com). This step joins the device in Microsoft Entra ID, and the device is considered organization-owned. The device is fully managed, regardless of who's signed in. Users can open the Settings app > Accounts > Access work or school. It shows they're connected.

    For existing devices, or if users sign in with a personal account during the OOBE, they can join the devices to Microsoft Entra ID using the following steps:

    1. Open the Settings app > Accounts > Access work or school > Connect.
    2. In Alternate actions, select Join this device to Azure Active Directory, and enter the information they're asked.

    This step joins the device to Microsoft Entra ID. When joined, the devices show as organization owned, and show as Microsoft Entra joined in the Intune admin center. Devices are managed by Intune, regardless of who's signed in.

Co-management enrollment

If you use Configuration Manager, and want to continue to use Configuration Manager, then co-management enrollment is for you.

Co-management manages Windows 10/11 devices using Configuration Manager and Microsoft Intune together. You cloud-attach your existing Configuration Manager environment to Intune. This enrollment option runs some workloads in Configuration Manager, and other workloads in Intune.

For more specific information on co-management, go to What is co-management?.

Note

Tenant attach is also an option when using Configuration Manager. You don't enroll devices, but you can upload your Configuration Manager devices to the Intune admin center. Use the admin center to run some remote actions, go to your on-premises servers, and get OS information. For more information, go to enable tenant attach.


Feature Use this enrollment option when
You use Windows client.

Configuration Manager supports Windows Server.
You use Configuration Manager.

Configuration Manager can manage Windows Server.
Devices are Microsoft Entra hybrid joined.

Microsoft Entra hybrid joined devices are joined to your on-premises Active Directory, and registered with your Microsoft Entra ID. Devices in Microsoft Entra ID are available to Intune. Devices that aren't registered in Microsoft Entra ID aren't available to Intune.
Devices are enrolled in Intune.

You have devices you want to bring to co-management. Devices might have been enrolled using Windows Autopilot, or are direct from your hardware OEM.
You have Microsoft Entra ID P1 or P2.

Microsoft Entra ID P1 or P2 might be required depending on your co-management configuration. For more specific information, go to Paths to co-management.
You have remote workers.
Devices are owned by the organization or school.
Devices are personal or BYOD.
You have new or existing devices.

For devices that aren't running Windows 10/11, like Windows 7, you'll need to upgrade. For more specific information, go to Upgrade Windows 10 for co-management.
Need to enroll a few devices, or a large number of devices (bulk enrollment).
Devices are associated with a single user.
Devices are user-less, like kiosk, dedicated, or shared.

These devices are organization-owned. This enrollment method requires users to sign in with their organization account. An organization admin can sign in, and automatically enroll. When the device is enrolled, create a kiosk profile, and assign this profile to this device. You can also create a profile for devices shared with many users.
Devices are managed by another MDM provider.

To be co-managed, users need to unenroll from the current MDM provider. They shouldn't be enrolled using the Intune classic agents.
You use the device enrollment manager (DEM) account.

DEM accounts don't apply to co-management.

Co-management administrator tasks

The administrator tasks and requirements depend on the co-management option you choose. For more specific information, go to Paths to co-management.

When setting up co-management, you choose to:

Co-management end user tasks

Both options use Automatic enrollment. With Automatic enrollment, users sign in with their organization account (user@contoso.com), and then are automatically enrolled. They can also open the Settings app > Accounts > Access work or school > Connect, and sign in with organization email address and password.

Configuration Manager can randomize the enrollment, so enrollment might not occur immediately. When enrollment completes, it's ready to receive the policies and profiles you create.