In this blog post, we will explore different ways to enroll a Windows device into Intune. When a device joins Entra ID, it can automatically enroll into Intune. You can also use Autopilot for Intune enrollment. During the Intune device enrollment process, an MDM certificate is installed on the device. This certificate is used to communicate with the Intune service and enforce compliance and other device configuration policies from the Intune admin center.
Contents
Prerequisites
| Intune License Plan 1 must be assigned to the users. (Included in M365 E3, E5,F1,F3, Business premium, Gov G5, Gov G3, EMS E3, EMS E5) | Intune license Plan 1 |
| Supported Operating systems for Enrollment | Operating systems and browsers supported by Microsoft Intune | Microsoft Learn |
| MDM Authority is set to Intune or Intune + Configuration Manager (For newer tenants, this may automatically be set to Intune) | MDM Authority |
Types of Windows Devices Supported for Intune Enrollment
- Personally Owned: These are personal/BYOD devices, it can be enrolled in Intune based on device platform restriction settings configured on Intune admin center.
- Corporate Owned: These devices are generally provided by your organization and can be fully managed with Intune.
Ways to Enroll Windows Devices into Intune
- Windows Automatic Enrollment
- Windows Autopilot
- BYOD Device Enrollment by User
- Co-management with Configuration Manager
Method 1: Using Windows Automatic Enrollment
After a Windows device is joined/registered to Entra, It can be automatically enrolled into Intune. For Automatic Enrollment of your Windows 10 and Windows 11 devices, you will require a Microsoft Entra ID P1 or Entra ID P2 license. This method allows you to enroll personal and corporate-owned devices.
For Automatic Enrollment of Devices into Intune, You will need to create a CNAME record, configure Automatic Enrollment and Device platform restrictions. You can use below links to configure.
- Create a CNAME record in DNS (Optional but recommended).
- Configure Automatic Enrollment.
- Configure Device platform restrictions.
- Corporate Devices: Your company typically provides and owns these types of devices. Users can go through the Out of Box Experience (OOBE) and enter their organizational credentials. This step will join the machine to Entra ID and as we have configured automatic enrollment, the device will be automatically enrolled into Intune.
- BYOD/Personal Devices: For personal device types, users can log in to the device using personal account credentials, such as a Microsoft Account, and then follow below steps to register the device in Entra ID.
- Open the Settings app > Accounts > Access work or school > Connect.
- Enter the Email Address and click on Next to proceed. This step will register your device as Personal into Entra ID. The device will be unmanaged.
Method 2: Using Windows Autopilot
Windows Autopilot relies on automatic enrollment and, as a prerequisite, also requires an Entra ID P1 or Entra ID P2 license. Utilizing the Autopilot Out of Box Experience (OOBE), the device is automatically enrolled in Intune based on the Autopilot deployment profile.
It’s important to note that Autopilot is generally used for organization owned devices, where the device’s hardware hash is already imported in Intune. For more information, refer to the guide: Windows Autopilot Setup – A Comprehensive Guide. You can also use Autopilot device preparation method which is recently introduced and works a bit different from the classic Autopilot.
Prerequisites
- Create an Autopilot Deployment profile.
- Upload Device hardware hash in Intune.
Device Enrollment Steps
Based on the Autopilot Deployment profile, a device is automatically enrolled in Intune when a user authenticates with their organization-provided credentials during the Out of Box Experience (OOBE). There are three Autopilot deployment options:
- Self-Deploying mode: Enrollment starts automatically when a user turns on the device. It will automatically Join it to Entra ID and Enroll in Intune.
- User-driven: After a device is shipped to the user, the user can automatically sign in to the device to start the Entra ID join and Intune Enrollment process.
Method 3: BYOD Device Enrollment by User
These steps apply to personal or BYOD-type devices you wish to enroll in Intune. These devices will show as Personal in Entra ID.
Prerequisites
- Create a CNAME record in DNS (Optional but recommended).
Device Enrollment Steps
You can register your device with Entra ID as a personal device using the below steps.
- Go to Settings App > Accounts > Access school or work > Connect.
- Enter the Organization Provided Email Address in the text box and click Next.
- This registers your device in Entra ID and displays it as Personal. In this case, It’s important to note that Intune manages the organization user, not the device.
Users can also join a BYOD-type device to Entra ID by clicking on Join this device to Entra ID. However, that depends upon the Device platform restriction settings. If Enrollment of personal devices is not allowed, you may get an error code 80180014. For more information about this error code, refer to the link: Fix for error code 80180014.
Method 4: Co-Management Enrollment
If you use Configuration Manager and Intune together to manage Windows 10/11 devices, you can use the Co-management enrollment method. This method runs some services in the configuration manager and some in Intune.
If Automatic Enrollment is enabled, users will sign in on the device and automatically enroll in Intune. However, users also have the option to manually go to Settings > Accounts > Access work or school > Connect and sign in with their organizational email address and password.
