Enroll Device to Intune (SCCM+Intune)



  • Azure Subscription
  • License: E3 or E5 license for users
  • MDM: Enable Intune MDM for your all users or specific groups
  • Azure AD or Hybrid Azure AD joined:  You need to use Azure AD Connect to sync your on-premise devices with Azure AD
  • Devices: Corporate (sccm co-managed) or Personal Devices
  • Network Configuration: check Microsoft Documentation LINK


  • Intune supported operating systems

    You can manage devices running the following operating systems:


    • Apple iOS 13.0 and later
    • Apple iPadOS 13.0 and later
    • macOS 10.15 and later


    • Android 6.0 and later (including Samsung KNOX Standard 2.4 and higher: requirements)
    • Android enterprise: requirements


    • Windows 11 (Home, S, Pro, Education, and Enterprise editions)
    • Windows 11 (Home, S, Pro, Education, and Enterprise editions)
    • Surface Hub
    • Windows 10 (Home, S, Pro, Education, and Enterprise versions)
    • Windows 10 and Windows 11 Cloud PCs on Windows 365
    • Windows 10 Enterprise 2019 LTSC
    • Windows 10 IoT Enterprise (x86, x64)
    • Windows Holographic for Business
    • Windows 10 Teams (Surface Hub)
    • Windows 10 version 1709 (RS3) and later, Windows 8.1 RT, PCs running Windows 8.1 (Sustaining mode)


To manage devices in Intune, devices must first be enrolled in the Intune service. Both personally owned and corporate-owned devices can be enrolled for Intune management.

There are two ways to get devices enrolled in Intune:

  • Users can self-enroll their Windows PCs
  • Admins can configure policies to force automatic enrollment without any user involvement

User self-enrollment in Intune

Users can self-enroll their Windows device by using any of these methods:

  • Bring your own device (BYOD): Users enroll their personally owned devices by downloading and installing the Company Portal App This process:
    • Registers the device with Azure Active Directory to gain access to corporate resource like email.
    • Enrolls the device in Intune as a personal owned device (BYOD). If an administrator has configured Auto enrollment (available with Azure AD premium subscriptions), the user only has to enter their credentials once. Otherwise, they’ll have to enroll separately through MDM only enrollment and reenter their credentials.
  • MDM only enrollment lets users enroll an existing Workgroup, Active Directory, or Azure Active directory joined PC into Intune. Users enroll from Settings on the existing Windows PC. This method isn’t recommended because it doesn’t register the device into Azure Active Directory. It also prevents the use of features such as Conditional Access.
  • Azure Active Directory (Azure AD) Join – Joins the device with Azure Active Directory and enables users to sign in to Windows with their Azure AD credentials. If Auto Enrollment is enabled, the device is automatically enrolled in Intune. The benefit of auto enrollment is a single-step process for the user. Otherwise, they’ll have to enroll separately through MDM only enrollment and reenter their credentials. Users enroll this way either during initial Windows OOBE or from Settings. The device is marked as a corporate owned device in Intune.
  • Autopilot – Automates Azure AD Join and enrolls new corporate-owned devices into Intune. This method simplifies the out-of-box experience and removes the need to apply custom operating system images onto the devices. When admins use Intune to manage Autopilot devices, they can manage policies, profiles, apps, and more after they’re enrolled. There are four types of Autopilot deployment: Self Deploying Mode (for kiosks, digital signage, or a shared device), User Driven Mode (for traditional users), Windows Autopilot for pre-provisioned deployment enables partners or IT staff to pre-provision a PC running Windows 10 or Windows 11 so that it is fully configured and business-ready, and Autopilot for existing devices enables you to easily deploy the latest version of Windows to your existing devices.

Administrator-based enrollment in Intune

Administrators can set up the following methods of enrollment that require no user interaction:

  • Hybrid Azure AD Join lets administrators configure Active Directory group policy to automatically enroll devices that are hybrid Azure AD joined.
  • Configuration Manager Co-management lets administrators enroll their existing Configuration Manager managed devices into Intune to get the dual benefits of Intune and Configuration Manager.
  • Device enrollment manager (DEM) is a special service account. DEM accounts have permissions that let authorized users enroll and manage multiple corporate-owned devices. These types of devices are good for point-of-sale or utility apps, for example, but not for users who need to access email or company resources. Be aware that there are some limitations with DEM accounts as documented here.
  • Bulk enroll lets an authorized user join large numbers of new corporate-owned devices to Azure Active Directory and Intune. You create a provisioning package with the Windows Configuration Designer (WCD) app. Then, using USB media during initial Windows OOBE experience or from existing Windows PC, you install the provisioning package to automatically enroll the devices into Intune.
  • Enrolling Windows IoT Core devices is accomplished by using the Windows IoT Core Dashboard to prepare the device, and then using Windows Configuration Designer to create a provisioning package. Then, using SD Card media during initial boot up, it installs the provisioning package to automatically enroll the devices into Intune.


Source: https://docs.microsoft.com/en-us/mem/intune/enrollment/windows-enrollment-methods



Show More

Related Articles

Back to top button