Introduction
This article is Part 1 of a 4 part series on enrolling devices with Microsoft Intune designed for IT support teams in both enterprise and education settings. In this first instalment, we focus on Intune Automatic Device Enrollment, a powerful method that allows Windows devices to be enrolled seamlessly into your organisation’s management platform.
Device enrollment is the process of registering a Windows device with a Mobile Device Management (MDM) solution such as Microsoft Intune. This enables IT teams to configure, secure, and monitor devices remotely, ensuring compliance with company policies and providing users with the resources they need from day one.
Enrollment is a critical first step in modern device management. It allows organisations to:
- Deploy security policies and updates remotely
- Manage applications and settings centrally
- Protect sensitive data
- Support users efficiently
Whether you’re rolling out laptops to staff in a school or provisioning devices for remote workers in a business, Intune Automatic Device Enrollment ensures that each device is ready to go securely and compliantly.
Why Do We Enroll Devices?
Enrolling devices ensures that every Windows laptop, desktop, or tablet used for work is compliant with organisational standards. It helps IT support teams (like yours) to:
- Prevent unauthorised access to company resources
- Apply security controls (e.g., antivirus, disk encryption)
- Troubleshoot issues remotely
- Roll out new software and updates seamlessly
Without enrollment, devices may be vulnerable to threats, lack essential configurations, or be unable to access company resources.
Real-World Examples
- A school deploying laptops to staff and students: Enrollment ensures each device receives the correct Wi-Fi settings, security policies, and access to educational apps.
- A business rolling out new laptops to remote workers: Devices are enrolled before shipping, so users can log in and start working securely from day one.
- IT support in a hospital: Enrollment allows for quick updates to security policies and remote troubleshooting, keeping sensitive patient data protected.
Typical Ways to Enroll a Windows Device
There are several common methods to enroll Windows devices:
1. Automatic Enrollment via Azure AD Join – Devices joined to Azure Active Directory (AAD) can be automatically enrolled in Intune if configured by your organisation.
2. Manual Enrolment via Settings – Users can manually enroll their device using the Windows Settings app.
3. Provisioning Packages – IT admins can create provisioning packages using Windows Configuration Designer to automate enrollment for multiple devices.
4. Bulk Enrollment (Windows Autopilot) – For large deployments, Windows Autopilot allows devices to be pre-configured and enrolled as soon as they’re powered on.
1. Intune Automatic Device Enrollment via Entra Join
Step 1: Access Microsoft Endpoint Manager Admin Center
- Go to https://endpoint.microsoft.com
- Sign in with your Global Administrator account.
Step 2: Configure Automatic MDM Enrollment
In the admin centre, navigate to: Devices > Device Onboarding > Windows Enrollment > Automatic Enrollment.
Under MDM user scope, choose:
- All (recommended for corporate devices).
- Or Some, then select a specific group (e.g., “IT Support”).
For MAM user scope, select None (unless you plan to manage apps separately).
Click Save.
Step 3: Configure DNS CNAME Records (Optional but Recommended)
- Add CNAME records in your domain provider zone editor portal to simplify enrollment:
- Test configuration in Endpoint Manager → Windows Enrollment → CNAME validation.
Step 4: Verify Licensing
- Ensure all users in the MDM scope have Intune licences.
- Go to https://admin.cloud.microsoft
- Check under Billing > Licenses > License Name > Groups
- To double check the user has an Intune license tick the group and select Manage Apps & Services
- Make sure Intune is ticked
Step 5: Device Join and Enrollment
For corporate devices:
- Join devices to Microsoft Entra ID during OOBE and selecting Set up for work or school and signing in with your work or school account
For BYOD:
- Users install the Company Portal from the Microsoft Store and sign in with work credentials or Access work or school in settings as in the previous step above.
Or by going to Settings > Accounts > Access Work or School and selecting Connect
Step 6: Validate Enrollment
In Endpoint Manager > Devices > All devices, confirm devices show as Managed by Intune. Check compliance status and sync settings.
Also on the device within Settings > Accounts > Access Work or School and it will show as connected like below
Intune Automatic Device Enrollment simplifies the process of bringing Windows devices under management, whether they’re corporate-owned or BYOD. By configuring automatic enrollment IT teams can ensure that devices are compliant, secure, and ready for use without manual setup.
Now, we’re taking things further with Windows Autopilot a modern provisioning solution that transforms how organisations deploy Windows devices. This guide covers everything from prerequisites and dynamic groups to deployment profiles and the Enrollment Status Page (ESP), giving you a complete roadmap for zero-touch provisioning.
👉 Read the full guide here: Windows Autopilot: The Complete Guide (2025)
