This blog post will explore different methods for enrolling Windows 10/11 devices into Intune. Microsoft Intune works with Entra ID to streamline the registration and enrollment process for personal and organization-owned Windows devices.
Once the device is joined or registered with the Entra ID tenant, you can use Intune to manage these devices. During the Intune device enrollment process, an MDM certificate is installed. This certificate is used to communicate with the Intune service and enforce compliance and other device configuration policies from the Intune admin center.
The enrollment restrictions policy controls device enrollment in Intune. You can set up device enrollment restrictions from Intune admin center to control which devices can enroll.
Table of Contents
Types of Windows Devices Supported for Intune Enrollment
Using Intune, you can enroll the following two types of devices:
- Personally Owned—These devices are the user’s personal devices, supporting a Bring Your Own Device (BYOD) scenario. You can enroll these types of devices into Intune.
- Corporate Owned – These devices are typically owned by your organization and support a scenario of end-to-end device management controls via Intune.
If you have not set up Intune MDM and MAM configuration to support Windows devices, refer to this step-by-step guide: Initial Setup of Microsoft Intune MAM/MDM. To learn more about Intune reviews, pricing, and features, please refer to the link: Microsoft Intune Reviews, Pricing, and Features.
Prerequisites
There are a few prerequisites for enrolling your Windows devices into Intune. Please find them below:
- Ensure that the Windows device is Supported for Intune Enrollment. Supported Windows Devices.
- An Intune License is assigned to the Users.
- MDM Authority is set to Intune or Intune + Configuration Manager.
Methods to Enroll Windows Devices into Intune
Multiple methods exist to enroll Windows 10 and Windows 11 devices into Intune.
- Windows Automatic Enrollment
- Windows Autopilot
- BYOD: User Enrollment
- Co-management with Configuration Manager
Method 1 – Using Windows Automatic Enrollment
For Automatic Enrollment of your Windows 10 and Windows 11 devices, you will require a Microsoft Entra ID P1 or Entra ID P2 license. This method allows you to enroll personal and corporate-owned devices.
Prerequisites
- Create a CNAME record in DNS (Optional but recommended).
- Configure Automatic Enrollment.
Device Enrollment steps
Depending on the device type, a Windows device can be automatically enrolled in Intune by the end user using the following steps:
- Corporate Devices – Your company typically owns these types of devices. When automatic enrollment is configured, Users can go through the Out of Box Experience (OOBE) and enter their organizational credentials. This step will join the machine to Entra ID, and enrollment in Intune will be automatic.
- BYOD/Personal Devices – For personal device types, users can log in to the device using personal account credentials, such as a Microsoft Account, and then follow the steps below to register the device in Entra ID.
- Open the Settings app > Accounts > Access work or school > Connect.
- Enter the Email Address and click on Next to proceed. This step will register your device as Personal into Entra ID. The device will be unmanaged.
Method 2 – Using Windows Autopilot
Windows Autopilot relies on automatic enrollment and, as a prerequisite, also requires an Entra ID P1 or Entra ID P2 license. Utilizing the Autopilot Out of Box Experience (OOBE), the device is automatically enrolled in Intune based on the Autopilot Deployment/Enrollment Profile.
It’s important to note that Windows Autopilot can only be used for organization-owned devices and does not apply to personal or BYOD (Bring Your Own Device) types. To learn more about Windows Autopilot and how to set it up, follow this link: Windows Autopilot Setup—A Comprehensive Guide.
Prerequisites
- Create an Autopilot Deployment profile.
- Upload Device hardware hash in Intune.
Device Enrollment Steps
Based on the Autopilot Deployment profile, a device is automatically enrolled in Intune when a user authenticates with their organization-provided credentials during the Out of Box Experience (OOBE). There are three Autopilot deployment options:
- Self-Deploying mode – Enrollment starts automatically when a user turns on the device. It will automatically Join it to Entra ID and Enroll in Intune.
- Pre-provisioning – As the device is pre-provisioned, the Enrollment process kicks in when a user signs in.
- User-driven – After a device is shipped to the user, the user can automatically Sign in to the device to start the Entra ID join and Intune Enrollment process.
Method 3 – BYOD: User Enrollment
These steps apply to personal or BYOD-type devices you wish to enroll in Intune. These devices will show as Personal in Entra ID.
Prerequisites
- Create a CNAME record in DNS (Optional but recommended).
Device Enrollment Steps
You can register your device with Entra ID as a personal device using the below steps.
- Go to Settings App > Accounts > Access school or work > Connect.
- Enter the Organization Provided Email Address in the text box and click Next.
- This registers your device in Entra ID and displays it as Personal. It’s important to note that Intune manages the organization user, not the device.
If your organization allows, you can join a BYOD-type device to Entra ID by clicking on Join this device to Entra ID. This ensures that Intune manages the personal device. If you don’t want to manage a Personal device by Intune, enter the email address and click Next without clicking Join this device to Entra ID.
If you attempt to join a Windows device using Entra ID and encounter error code 80180014, it may indicate that the administrator has not permitted the enrollment of Personal/BYOD (Bring Your Own Device) types in Intune. To address this issue, please refer to the article Fix for error code 80180014 for guidance.
Method 4 – Co-Management Enrollment
If you use Configuration Manager and Intune together to manage Windows 10/11 devices, you can use the Co-management enrollment method. This method runs some services in the configuration manager and some in Intune.
If Automatic Enrollment is enabled, users will sign in on the device and automatically enroll in Intune. However, users also have the option to manually go to Settings > Accounts > Access work or school > Connect and sign in with their organizational email address and password.
