How to Enroll Windows Devices in Microsoft Intune

Microsoft Intune provides comprehensive mobile device management (MDM) capabilities for Windows devices, enabling organizations to enforce security policies, deploy applications, and maintain compliance across their device fleet. This guide covers multiple enrollment methods to help you choose the best approach for your organization.

Overview

Windows device enrollment in Intune can be accomplished through several methods, each suited to different scenarios:

Prerequisites

Before enrolling Windows devices, ensure you have the following:

Licensing Requirements:

• Microsoft Intune license (standalone or included with Microsoft 365 E3/E5, Business Premium)
• Azure AD Premium P1 (required for automatic enrollment)
• Appropriate Windows licensing (Pro, Enterprise, or Education)

Administrative Access:

• Global Administrator or Intune Administrator role
• Access to Microsoft Intune admin center (intune.microsoft.com)

Technical Requirements:

• Windows 10 version 1709 or later (Windows 11 recommended)
• Windows Pro, Enterprise, or Education edition
• Internet connectivity for device communication
• Valid Azure AD user accounts

Recommended Preparation:

• Configure MDM authority in Intune
• Set up Azure AD automatic enrollment
• Create device compliance policies
• Prepare configuration profiles

Method 1: Configure Automatic MDM Enrollment

Automatic enrollment enables devices to enroll in Intune when users join or register with Azure AD. This is the recommended approach for corporate environments.

Step 1: Access Azure AD Enrollment Settings

1. Sign in to the Microsoft Intune admin center: https://intune.microsoft.com
2. Navigate to Devices > Enrollment
3. Select Windows > Windows enrollment
4. Click Automatic Enrollment

Step 2: Configure MDM User Scope

1. Under MDM user scope, select one of the following:

   • None: Disables automatic MDM enrollment
   • Some: Enables enrollment for selected Azure AD groups
   • All: Enables enrollment for all users

2. If you selected Some:

   • Click Select groups
   • Search for and select the groups to include
   • Click Select

3. Configure MDM terms of use URL (optional):

   • Enter: https://portal.manage.microsoft.com/TermsofUse.aspx
   • This displays terms during enrollment

4. Leave MDM discovery URL and MDM compliance URL at default values

Step 3: Configure MAM User Scope (Optional)

Mobile Application Management (MAM) without enrollment allows app protection policies on unmanaged devices:

1. Under MAM user scope, select:

   • None: No MAM-only users
   • Some: Enable MAM for specific groups
   • All: Enable MAM for all users

2. If you select Some or All, MAM policies can protect apps without full device enrollment

3. Click Save to apply settings

Step 4: Verify Enrollment Configuration

1. Navigate to Devices > Enrollment > Windows > Enrollment Status Page
2. Verify the enrollment status page is configured (optional but recommended)
3. Check Devices > Windows > Windows devices to confirm enrollment is working

Method 2: User-Driven Enrollment via Settings

This method allows users to enroll their existing Windows devices through the Settings app.

Step 1: Prepare the Device

Ensure the device meets requirements:

1. Verify Windows edition (Pro, Enterprise, or Education)
2. Check Windows version: Settings > System > About
3. Ensure the device is connected to the internet
4. Have the user's Azure AD credentials ready

Step 2: Access Work or School Settings

1. On the Windows device, open Settings
2. Select Accounts
3. Click Access work or school
4. Click Connect

Step 3: Join Azure AD (Corporate Device)

For corporate-owned devices that should be fully managed:

1. In the connection dialog, click Join this device to Azure Active Directory
2. Enter the user's work email address
3. Click Next
4. Enter the user's password
5. Complete multi-factor authentication if prompted
6. Review the organization information and click Join
7. The device will:
   • Join Azure AD
   • Automatically enroll in Intune (if automatic enrollment is configured)
   • Apply assigned policies and configurations

Step 4: Register with Azure AD (BYOD)

For personal devices accessing work resources:

1. In the connection dialog, enter the user's work email address
2. Click Next
3. Enter the user's password
4. Complete multi-factor authentication if prompted
5. Review and accept any terms of use
6. Click Done

The device is now registered with Azure AD and enrolled in Intune for MAM policies.

Step 5: Verify Enrollment

1. Return to Settings > Accounts > Access work or school
2. Click on the connected account
3. Click Info to view enrollment status
4. Verify Device sync status shows "Last sync: [recent time]"

Method 3: Windows Autopilot Enrollment

Windows Autopilot provides zero-touch deployment for new devices, transforming an out-of-box experience into a fully configured, managed device.

Step 1: Obtain Device Hardware Hashes

Hardware hashes identify devices for Autopilot. Obtain them through:

Option A: From Device Manufacturer

• Request hardware hashes from your hardware vendor (Dell, HP, Lenovo, etc.)
• Many vendors can upload directly to your Intune tenant

Option B: From Existing Devices Run this PowerShell script as Administrator:

# Install the required script
Install-Script -Name Get-WindowsAutoPilotInfo -Force

# Run the script to capture hardware hash
Get-WindowsAutoPilotInfo -OutputFile C:\Temp\AutopilotHWID.csv

Option C: From Configuration Manager If using SCCM, use the built-in Autopilot device information collection.

Step 2: Import Devices into Autopilot

1. Sign in to the Intune admin center
2. Navigate to Devices > Enrollment > Windows > Windows enrollment
3. Select Devices under Windows Autopilot Deployment Program
4. Click Import
5. Browse to your CSV file containing hardware hashes
6. Click Import
7. Wait for the import to complete (may take several minutes)

Step 3: Create an Autopilot Deployment Profile

1. Navigate to Devices > Windows > Windows enrollment > Deployment Profiles
2. Click Create profile > Windows PC
3. Enter a Name (e.g., "Standard User Autopilot Profile")

Configure Out-of-box experience (OOBE) settings:

4. Deployment mode: Select User-Driven or Self-Deploying

   • User-Driven: User signs in during setup
   • Self-Deploying: No user interaction (for shared/kiosk devices)

5. Join to Azure AD as: Select Azure AD joined or Hybrid Azure AD joined

6. Configure additional OOBE settings:

   • Microsoft Software License Terms: Hide
   • Privacy settings: Hide
   • Hide change account options: Yes
   • User account type: Standard or Administrator
   • Allow pre-provisioned deployment: Yes (for White Glove)
   • Language (Region): Operating system default or specific region
   • Automatically configure keyboard: Yes
   • Apply device name template: Yes (e.g., "CONTOSO-%SERIAL%")

7. Click Next and configure scope tags if needed

8. Click Next and assign to device groups

9. Click Create

Step 4: Assign Profile to Devices

1. Navigate to Devices > Windows > Windows enrollment > Devices
2. Select the imported devices
3. Click Assign profile
4. Select your deployment profile
5. Click Assign

Step 5: Deploy the Device

1. Ship the device to the user or configure in your IT department
2. User turns on the device
3. Device connects to the internet
4. Autopilot profile is downloaded automatically
5. User signs in with their Azure AD credentials
6. Device completes enrollment and configuration

Method 4: Bulk Enrollment with Provisioning Packages

Bulk enrollment is ideal for deploying multiple devices without requiring user credentials during setup.

Step 1: Install Windows Configuration Designer

1. Download Windows Configuration Designer from the Microsoft Store
2. Or install via Windows ADK (Assessment and Deployment Kit)
3. Launch the application

Step 2: Create a Provisioning Package

1. Click Provision desktop devices
2. Enter a project name (e.g., "Intune-Bulk-Enrollment")
3. Click Next

Configure device settings:

4. Set up device:

   • Device name: Enter a naming pattern (e.g., "WS-%SERIAL%")
   • Enter product key if needed

5. Set up network:

   • Configure Wi-Fi SSID and password if needed
   • Or skip for wired connections

6. Account Management:

   • Select Enroll in Azure AD
   • Click Get Bulk Token
   • Sign in with an account that has enrollment permissions
   • The token is valid for 30 days

7. Click Next through remaining sections

8. Click Create to generate the package

Step 3: Export the Provisioning Package

1. After creation, note the package location (typically Documents\Windows Imaging and Configuration Designer{Project Name})
2. Copy the .ppkg file to a USB drive

Step 4: Apply the Package to Devices

During OOBE (Out-of-Box Experience):

1. Turn on the new device
2. At the first setup screen, insert the USB drive with the .ppkg file
3. Press Windows key + R to run
4. Or wait for the package to be detected automatically
5. Click Yes, add it when prompted
6. The device will:
   • Join Azure AD
   • Enroll in Intune
   • Apply policies automatically

On an Already-Configured Device:

1. Copy the .ppkg file to the device
2. Double-click the package file
3. Click Yes, add it
4. The device will enroll in Intune

Step 5: Verify Bulk Enrollment

1. In Intune admin center, go to Devices > Windows > Windows devices
2. Verify devices appear with "Enrolled" status
3. Check that the enrollment method shows "Bulk enrollment"

Post-Enrollment Configuration

Configure Enrollment Status Page

The Enrollment Status Page (ESP) shows users the enrollment progress and prevents access until setup is complete.

1. Navigate to Devices > Windows > Windows enrollment > Enrollment Status Page

2. Click on Default profile or create a new one

3. Configure settings:

   • Show app and profile configuration progress: Yes
   • Show an error when installation takes longer than specified minutes: 60
   • Show custom message when time limit or error occur: Yes
   • Turn on log collection and diagnostics page for end users: Yes
   • Only show page to devices provisioned by OOBE: Yes
   • Block device use until all apps and profiles are installed: Yes (recommended for Autopilot)
   • Allow users to reset device if installation error occurs: Yes
   • Allow users to use device if installation error occurs: Yes
   • Block device use until required apps are installed: Select required apps

4. Click Save

Verify Device Compliance

1. Navigate to Devices > Windows > Windows devices
2. Click on an enrolled device
3. Check the Compliance status
4. Review any non-compliant items
5. Address compliance issues as needed

Review Installed Configurations

1. On the enrolled device, open Settings
2. Go to Accounts > Access work or school
3. Click on your organization
4. Click Info
5. Review:
   • Sync status: Should show recent sync
   • Areas managed by organization: Lists applied policies

Troubleshooting

Device Not Appearing in Intune

Symptoms: Device shows as enrolled locally but doesn't appear in Intune admin center.

Solutions:

1. Wait 15-30 minutes for sync to complete
2. On the device, go to Settings > Accounts > Access work or school
3. Click the account, then click Info > Sync
4. Verify internet connectivity
5. Check Windows Firewall allows outbound HTTPS (443)
6. Review Event Viewer: Applications and Services Logs > Microsoft > Windows > DeviceManagement-Enterprise-Diagnostics-Provider

Automatic Enrollment Not Working

Symptoms: Users join Azure AD but device doesn't enroll in Intune.

Solutions:

1. Verify Azure AD Premium P1 license is assigned to the user
2. Check MDM user scope includes the user or their group
3. Verify the user has an Intune license
4. Run dsregcmd /status and verify MDM enrollment shows "YES"
5. Check if Conditional Access policies are blocking enrollment

Enrollment Error Codes

Common error codes and solutions:

Autopilot Profile Not Applying

Symptoms: Device goes through standard OOBE instead of Autopilot experience.

Solutions:

1. Verify hardware hash was imported correctly
2. Check profile assignment to device group
3. Wait 15-30 minutes for profile sync after assignment
4. Reset the device to trigger Autopilot again
5. Verify internet connectivity during OOBE

Best Practices

Enrollment Recommendations

1. Use Autopilot for new devices: Provides the best user experience and security
2. Configure Enrollment Status Page: Prevents users from accessing an incomplete setup
3. Set device enrollment limits: Prevent users from enrolling too many personal devices
4. Use device groups for targeting: Assign policies to device groups, not user groups where possible
5. Test with pilot group first: Validate enrollment process before broad deployment

Security Considerations

1. Require MFA during enrollment: Add Conditional Access policy for enrollment
2. Block personal device enrollment if not needed: Use enrollment restrictions
3. Configure compliance policies: Ensure devices meet security requirements before accessing resources
4. Use certificate-based authentication: More secure than username/password for device authentication
5. Enable BitLocker encryption: Protect data on enrolled devices

Next Steps

After successfully enrolling Windows devices:

1. Configure compliance policies: Define security requirements for enrolled devices
2. Deploy applications: Push required apps through Intune
3. Set up configuration profiles: Configure Wi-Fi, VPN, email, and security settings
4. Configure Conditional Access: Require device compliance for resource access
5. Monitor device health: Use Intune reports to track compliance and issues

Additional Resources

• Microsoft Intune Windows Enrollment Documentation
• Windows Autopilot Overview
• Intune Troubleshooting Guide

Need help with your Intune deployment? InventiveHQ offers comprehensive Microsoft Endpoint Manager implementation services, from initial setup to ongoing management. Contact us for a free consultation.