Enroll Windows devices

Applies to: Intune on Azure
Looking for documentation about Intune in the classic console? Go to here.

This topic helps IT administrators simplify Windows enrollment for their users. Once you've set up Intune, users enroll Windows devices by signing in with their work or school account.

As an Intune admin, you can simplify enrollment in the following ways:

  • Enable automatic enrollment (Azure AD premium required)
  • CNAME registration
  • Enable bulk enrollment (Azure AD premium and Windows Configuration Designer required)

Two factors determine how you can simplify Windows device enrollment:

  • Do you use Azure Active Directory Premium?
    Azure AD Premium is included with Enterprise Mobility + Security and other licensing plans.
  • What versions of Windows clients will users enroll?
    Windows 10 devices can automatically enroll by adding a work or school account. Earlier versions must enroll using the Company Portal app.
Azure AD Premium Other AD
Windows 10 Automatic enrollment User enrollment
Earlier Windows versions User enrollment User enrollment

Organizations that can use automatic enrollment can also configure bulk enroll devices by using the Windows Configuration Designer app.

Multi-user support
Devices that run the Windows 10 Creators Update, and are Azure Active Directory domain-joined, are now supported for multi-user management by Intune. When standard users log on with their Azure AD credentials, they receive apps and policies assigned to their user name. Users cannot currently use the Company Portal for self-service scenarios like installing apps.

Enable Windows 10 automatic enrollment

Automatic enrollment lets users enroll their Windows 10 devices in Intune. To enroll, users add their work account to their personally owned devices or join corporate-owned devices to Azure Active Directory. In the background, the device registers and joins Azure Active Directory. Once registered, the device is managed with Intune.

Prerequisites

  • Azure Active Directory Premium subscription (trial subscription)
  • Microsoft Intune subscription

Configure automatic MDM enrollment

  1. Sign in to the Azure portal (https://manage.windowsazure.com), and select Azure Active Directory.

    Screenshot of the Azure portal

  2. Select Mobility (MDM and MAM).

    Screenshot of the Azure portal

  3. Select Microsoft Intune.

    Screenshot of the Azure portal

  4. Configure MDM User scope. Specify which users’ devices should be managed by Microsoft Intune. These Windows 10 devices can automatically enroll for management with Microsoft Intune.

    • None
    • Some
    • All

    Screenshot of the Azure portal

  5. Use the default values for the following URLs:

    • MDM Terms of use URL
    • MDM Discovery URL
    • MDM Compliance URL

      Important

      If both MAM user scope and automatic MDM enrollment (MDM user scope) are enabled for a group, only MAM is enabled. Only MAM is added for users in that group when they workplace join personal device. Devices are not automatically MDM enrolled.

  6. Select Save.

By default, two-factor authentication is not enabled for the service. However, two-factor authentication is recommended when registering a device. To enable two-factor authentication, configure a two-factor authentication provider in Azure AD and configure your user accounts for multi-factor authentication. See Getting started with the Azure Multi-Factor Authentication Server.

Enable Windows enrollment without Azure AD Premium

You can simplify enrollment for your users by creating a DNS alias (CNAME record type) that automatically redirects enrollment requests to Intune servers. If you don't create a DNS CNAME resource record, users attempting to connect to Intune must enter the Intune server name during enrollment.

Step 1: Create CNAME (optional)
Create CNAME DNS resource records for your company’s domain. For example, if your company’s website is contoso.com, you would create a CNAME in DNS that redirects EnterpriseEnrollment.contoso.com to enterpriseenrollment-s.manage.microsoft.com.

Although creating CNAME DNS entries is optional, CNAME records make enrollment easier for users. If no enrollment CNAME record is found, users are prompted to manually enter the MDM server name, enrollment.manage.microsoft.com.

Type Host name Points to TTL
CNAME EnterpriseEnrollment.company_domain.com EnterpriseEnrollment-s.manage.microsoft.com 1 hour

If you have more than one UPN suffix, you need to create one CNAME for each domain name and point each one to EnterpriseEnrollment-s.manage.microsoft.com. If users at Contoso use name@contoso.com, but also use name@us.contoso.com, and name@eu.constoso.com as their email/UPN, the Contoso DNS admin should create the following CNAMEs:

Type Host name Points to TTL
CNAME EnterpriseEnrollment.contoso.com EnterpriseEnrollment-s.manage.microsoft.com 1 hour
CNAME EnterpriseEnrollment.us.contoso.com EnterpriseEnrollment-s.manage.microsoft.com 1 hour
CNAME EnterpriseEnrollment.eu.contoso.com EnterpriseEnrollment-s.manage.microsoft.com 1 hour

EnterpriseEnrollment-s.manage.microsoft.com – Supports a redirect to the Intune service with domain recognition from the email’s domain name

Changes to DNS records might take up to 72 hours to propagate. You cannot verify the DNS change in Intune until the DNS record propagates.

Step 2: Verify CNAME (optional)
In the Azure Intune portal, choose More Services > Monitoring + Management > Intune. On the Intune blade, choose Enroll devices > Windows Enrollment. Enter the company website URL in the Specify a verified domain name box, and then choose Test Auto-Detection.

Tell users how to enroll Windows devices

Tell your users how to enroll their Windows devices and what to expect after they're brought into management. For end-user enrollment instructions, see Enroll your Windows device in Intune. You can also tell users to review What can my IT admin see on my device.

For more information about end-user tasks, see Resources about the end-user experience with Microsoft Intune.

To submit product feedback, please visit Intune Feedback