Set up Windows device management

Applies to: Intune in the classic portal
Looking for documentation about Intune in the Azure portal? Go here.

This topic helps IT administrators simplify Windows enrollment for their users. Windows devices can be enrolled without any additional steps, but you can make enrollment easier for users.

Two factors determine how you can simplify Windows device enrollment:

  • Do you use Azure Active Directory Premium?
    Azure AD Premium is included with Enterprise Mobility + Security and other licensing plans.
  • What versions of Windows clients will enroll?
    Windows 10 devices can automatically enroll by adding a work or school account. Earlier versions must enroll using the Company Portal app.
Azure AD Premium Other AD
Windows 10 Automatic enrollment User enrollment
Earlier Windows versions User enrollment User enrollment

Enable Windows 10 automatic enrollment

Automatic enrollment lets users enroll their Windows 10 devices in Intune when adding their work account to their personally-owned devices or joining their corporate-owned devices to your Azure Active Directory. In the background, the user's device registers and joins Azure Active Directory. Once registered, the device is managed with Intune.


  • Azure Active Directory Premium subscription (trial subscription)
  • Microsoft Intune subscription

Configure automatic MDM enrollment

  1. Sign in to the Azure management portal (, and select Azure Active Directory.

    Screenshot of the Azure portal

  2. Select Mobility (MDM and MAM).

    Screenshot of the Azure portal

  3. Select Microsoft Intune.

    Screenshot of the Azure portal

  4. Configure MDM User scope. Specify which users’ devices should be managed by Microsoft Intune. These users’ Windows 10 devices will be automatically enrolled for management with Microsoft Intune.

    • None
    • Some
    • All

    Screenshot of the Azure portal

  5. Use the default values for the following URLs:

    • MDM Terms of use URL
    • MDM Discovery URL
    • MDM Compliance URL
  6. Select Save.

By default, two-factor authentication is not enabled for the service. However, two-factor authentication is recommended when registering a device. Before requiring two-factor authentication for this service, you must configure a two-factor authentication provider in Azure Active Directory and configure your user accounts for multi-factor authentication. See Getting started with the Azure Multi-Factor Authentication Server.

Enable Windows enrollment without automatic enrollment

You can let users enroll their devices without Azure AD Premium automatic enrollment. Once you assign licenses, users can enroll after adding their work account to their personally-owned devices or joining their corporate-owned devices to your Azure AD. Creating a DNS alias (CNAME record type) makes it easier for users to enroll their devices. If you create DNS CNAME resource records, users connect and enroll in Intune without having to enter the Intune server name.

Step 1: Create CNAMEs (optional)
Create CNAME DNS resource records for your company’s domain. For example, if your company’s website is, you would create a CNAME in DNS that redirects to

Although creating CNAME DNS entries is optional, CNAME records make enrollment easier for users. If no enrollment CNAME record is found, users are prompted to manually enter the MDM server name,

If there is more than one verified domain, create a CNAME record for each domain. The CNAME resource records must contain the following information:

CNAME resource records must have the following information:

TYPE Host name Points to TTL
CNAME 1 Hour
CNAME 1 Hour – Supports a redirect to the Intune service with domain recognition from the email’s domain name

If your company uses multiple domains for user credentials, create CNAME records for each domain.

For example, if your company’s website is, you would create a CNAME in DNS that redirects to Changes to DNS records might take up to 72 hours to propagate. You cannot verify the DNS change in Intune until the DNS record propagates.

Step 2: Verify CNAME (optional)
In the Intune administration console, choose Admin > Mobile Device Management > Windows. Enter the URL of the verified domain of the company website in the Specify a verified domain name box, and then choose Test Auto-Detection.

Tell users how to enroll Windows devices

Tell your users how to enroll their Windows devices and what to expect after they're brought into management. For end-user enrollment instructions, see Enroll your Windows device in Intune. You can also send users to What can my IT admin see on my device.

For more information about end-user tasks, see Resources about the end-user experience with Microsoft Intune.

See also

Prerequisites for enrolling devices in Microsoft Intune