Identify devices as corporate-owned

Applies to:

• Windows 11
• iOS/iPadOS
• Android

Ensure that corporate devices are marked as corporate-owned as soon as they enroll by adding their corporate identifiers ahead of time in the Microsoft Intune admin center. Corporate devices unlock more device management capabilities than personal devices. For example, Microsoft Intune can collect more information about corporate-owned devices for you, such as full phone number and app inventory.

You can upload a file of corporate identifiers in the admin center or enter each identifier separately. Windows Autopilot device preparation It isn't necessary to add corporate identifiers for all deployments. During enrollment, Intune automatically assigns corporate-owned status to devices that join to Microsoft Entra via:

• Device enrollment manager account (all platforms)
• An Apple device enrollment program such as Apple School Manager, Apple Business Manager, or Apple Configurator (iOS/iPadOS only)
• Windows Autopilot
• Co-management with Microsoft Intune and group policy (GPO)
• Azure Virtual Desktop
• Automatic MDM enrollment via provisioning package
• Knox Mobile Enrollment
• Android Enterprise management:
  • Coporate-owned devices with work profile
  • Fully managed devices
  • Dedicated devices.
• Android Open Source Project (AOSP) management:
  • Corporate-owned user-associated devices
  • Corporate-owned userless devices
  • Google Zero Touch

Microsoft Intune marks devices that register with Microsoft Entra as personal.

Role based access control

You must be an Intune administrator or global administrator to add corporate identifiers, or a custom Intune role assigned corporate device identifier permissions. Permissions include:

• Update
• Read
• Delete
• Create

Supported corporate identifiers

Before you begin, determine the type of corporate identifiers you want to add. You can add one type of corporate identifier per CSV file. Devices that enroll without corporate identifiers are marked as personal. Intune supports the following identifiers:

• IMEI
• Serial number
• Serial number, manufacturer, and model (Windows only)

Support by platform

The following table shows the identifiers supported for each platform. When a device with a matching identifier enrolls, Intune marks it as corporate-owned.

Platform	IMEI number	Serial number	Serial number, model, manufacturer
Windows	Not supported	Not supported	✔️
iOS/iPadOS	✔️ Supported in some cases. For more information, see Add Android, iOS corporate identifiers.	✔️ We recommend using a serial number for iOS/iPadOS identification when possible.	Not supported
macOS	Not supported	✔️	Not supported
Android device administrator	✔️ Supported with Android 9 and earlier.	✔️ Supported with Android 9 and earlier.	Not supported
Android Enterprise, personally owned work profile	✔️ Supported with Android 11 and earlier.	✔️ Supported with Android 11 and earlier.	Not supported

Step 1: Create CSV file

Create a list of corporate identifiers and save it as a CSV file. You can add up to 5,000 rows or 5 MB of data per file, whichever comes first. Don't add headers.

Important

Remember, only add one type of corporate identifier per CSV file.

Add Windows corporate identifiers

For Windows corporate identifiers, list the manufacturer, model, and serial number as shown in the following example.

Microsoft,surface 5,01234567890123   
Lenovo,thinkpad t14,02234567890123  

Remove all periods, if applicable, from the serial number before you add it to the file.

After you add Windows corporate identifiers, Intune marks devices that match all three identifiers as corporate-owned, and marks all other enrolling devices in your tenant as personal. This means that anything you exclude from the Windows corporate identifiers is marked personal. To change the ownership type after enrollment, you have to manually adjust it in the admin center.

Windows enrollment types	With corporate identifiers	Without corporate identifiers
Windows Autopilot	Corporate	Corporate
Windows Autopilot device preparation	Corporate	Personal
Group policy (GPO) or co-management with automatic enrollment and Configuration Manager	Corporate	Corporate
Bulk enrollment with provisioning package	Corporate	Corporate
Enrollment via enrollment manager account	Corporate	Corporate
Azure Virtual desktop (non-hybrid)	Corporate	Corporate
Automatic MDM enrollment with Microsoft Entra join during Windows setup	Corporate	Personal
Automatic MDM enrollment with Microsoft Entra join from Windows settings	Corporate	Personal
Automatic MDM enrollment with Microsoft Entra join or hybrid Entra join via Windows Autopilot for existing devices.	Corporate	Personal
Automatic MDM enrollment with Add work account from Windows settings.	Personal	Personal
MDM enrollment only via Windows Settings	Personal	Personal
Enrollment via Intune Company Portal app	Personal	Personal
Enrollment via a Microsoft 365 app, which occurs when users select the Allow my organization to manage my device option during app sign-in.	Personal	Personal

Windows corporate identifiers can only change ownership type if someone adds them to Microsoft Intune. If you don't have corporate identifiers for Windows in Intune, or if you remove them, devices that are Microsoft Entra domain joined are marked as corporate-owned. This includes devices enrolled via automatic MDM enrollment with:

• Microsoft Entra join during Windows setup.

• Microsoft Entra join from Windows settings.

Add Android, iOS corporate identifiers

To add corporate identifiers for all other platforms, list one IMEI or serial number per line as shown in the following example.

01234567890123,device details  
02234567890123,device details  

Remove all periods, if applicable, from the serial number before you add it to the file. You can add device details after each corporate identifier. Details are limited to 128 characters and are for administrative use only. They don't appear on the device.

Android and iOS/iPadOS devices can have multiple IMEI numbers. Intune reads and records one IMEI per enrolled device. If you import an IMEI that's different from the one already in Intune, Intune will mark the device as personal. If you import multiple IMEI numbers for the same device, the identifiers that haven't been inventoried appear with an unknown enrollment status.

Android serial numbers are not guaranteed to be unique or present. Check with your device supplier to find out if the serial number is a reliable device ID. Serial numbers reported by the device to Intune might not match the ID shown on the device in Android settings or Android device information. Verify the type of serial number reported by the device manufacturer.

Step 2: Add corporate identifiers in admin center

You can upload a CSV file of corporate identifiers, or manually enter the corporate identifiers in the Microsoft Intune admin center. Manual entry is not available for Windows corporate identifiers.

Upload CSV file

Applies to Android, iOS/iPadOS, and Windows

Upload the CSV file you created in Step 1: Create CSV file to add corporate identifiers.

1. Sign in to the Microsoft Intune admin center.

2. Go to Devices > Enrollment.

3. Select the Corporate device identifiers tab.

4. Choose Add > Upload CSV file.

5. Select the identifier type. Your options:

   • IMEI
   • Serial
   • Manufacturer, model, and serial number (Windows only)

6. Under Import identifiers, find and select the CSV file.

7. Wait while Intune validates the CSV file. When the total device identifiers count appears onscreen, validation is complete.

   Tip

   If your import fails, check that the CSV file meets formatting requirements.

8. Select Add, and then look for the success notification at the top of the admin center to confirm that the file is imported.

   Note

   A pop-up window prompting you to review duplicate identifiers appears if the CSV file contains corporate identifiers that are already in Intune but have different device details. To resolve the duplicates, select the identifiers that you want to overwrite in Intune. Then select Ok to add the identifiers. Intune only compares the first duplicate of each identifier.

Manually enter corporate identifiers

Applies to Android and iOS/iPadOS

Enter corporate identifiers in the Microsoft Intune admin center to add corporate identifiers.

1. In the Microsoft Intune admin center, go to Devices > Enrollment.

2. Select the Corporate device identifiers tab.

3. Choose Add > Enter manually.

4. Select the identifier type. Your options:

   • IMEI
   • Serial

5. Enter the corporate identifier and details. When you're done entering identifiers, select Add.

6. Select Refresh to reload your list. The corporate identifiers you added should now be visible.

   Note

   A pop-up window prompting you to review duplicate identifiers appears if your entries contain corporate identifiers that are already in Intune but have different device details. To resolve the duplicates, select the identifiers that you want to overwrite. Then select Ok to add the identifiers. Intune only compares the first duplicate of each identifier.

Check enrollment status

Follow up on imported devices to ensure that they enroll in Intune. After you add corporate identifiers, you can see the status of the devices in the admin center:

• Enrolled: The device completed enrollment.
• Not contacted: The device hasn't made contact with the Microsoft Intune service.
• Not applicable:
• Failed: The device did not complete enrollment.

Delete corporate identifiers

2. In the admin center, go to Devices > Enrollment.
3. Select the Corporate device identifiers tab.
4. Select the device identifiers you want to delete, and choose Delete.
5. Confirm the deletion.

Deleting a corporate identifier for an enrolled device does not change the device's ownership.

Change device ownership

To edit a device's identification after enrollment, change its ownership setting in the admin center. An ownership property appears for each device record in Microsoft Intune.

1. Go to Devices > All devices.

2. Select a device.

3. Choose Properties.

4. For Device ownership, select Personal or Corporate.

   

When you change a device's ownership type from corporate to personal, Intune deletes all app information previously collected from that device within seven days. If applicable, Intune also deletes the phone number on record. Intune still collects the inventory of apps installed by the IT admin on the device, and a partial phone number.

When you change the ownership of an iOS/iPad or Android device from personal to corporate, a push notification is sent through the Company Portal app to inform the device user of the change. To configure push notifications, go to Tenant administration > Customization. For more information, see Company Portal - Configuration.

Block personal devices

To prevent all personal devices from enrolling, configure an enrollment platform restriction for personal devices.

To confirm the reason for an enrollment failure, go to Devices > Enrollment failures and look in the table under Failure reason. In this case, the reason is Enrollment restriction not met. Select the reason to open failure details.

Known issues and limitations

• Windows corporate device identifiers are only supported for devices running Windows 11 version 22H2 and later. Earlier versions can’t render the model and manufacturer property. As a result, the property appears in the admin center as Unknown. We are working on expanding corporate identifer support to devices running earlier versions of Windows.

• You can upload up to 10 CSV files for Windows corporate identifiers in the admin center. If you need to upload more data, we recommend using PowerShell or the Microsoft Intune Graph API to add corporate identifiers.

• Windows currently doesn't support device details in CSV files.

Resources

For details about International Mobile Equipment Identifiers, see 3GGPP TS 23.003.

You can use the following script to get the device details required for Windows corporate identifiers:

(Get-WmiObject -Class Win32_ComputerSystem | ForEach-Object { $.Manufacturer, $.Model, (Get-WmiObject -Class Win32_BIOS).SerialNumber -join ',' }) 

For more information about locating a serial number, see Find Surface serial number.