There are several methods to enroll Windows devices in Microsoft Intune, depending on whether the devices are new (out-of-box), existing, or hybrid Azure AD-joined. Below is a detailed breakdown of each method:
1. Automatic Enrollment via Windows Autopilot
(Best for New Devices)
Ideal for:
✔ Brand new devices
(zero-touch provisioning)
✔ Corporate-owned
devices
Steps:
- Upload
Device Hashes to Intune
- Extract hardware hashes using:
- PowerShell (Get-WindowsAutopilotInfo)
- OOBE during first boot (via CSV export)
- Dell/HP/Lenovo OEM integration (direct sync with Autopilot)
- Create
an Autopilot Profile
- Go to Microsoft Intune Admin Center → Devices → Windows → Enrollment → Autopilot
Deployment
- Configure:
- Deployment Mode: User-Driven
or Self-Deploying
- Skip privacy settings
- Pre-provision apps (White Glove)
- Assign
Devices to the Profile
- Assign to a user or group.
- User
Experience
- User turns on device → Connects to internet →
Automatically enrolls in Intune.
2. Manual Enrollment via Company Portal (BYOD
or Existing Devices)
Ideal for:
✔ Personal (BYOD)
Windows devices
✔ Existing devices not
enrolled via Autopilot
Steps:
- Install
Company Portal App
- Download from Microsoft Store.
- Sign
In & Enroll
- Open Company Portal → Sign in with
work account.
- Click Enroll this device.
- Follow
Prompts
- Accept policies → Device registers in Intune.
3. Group Policy Enrollment (For Hybrid Azure
AD-Joined Devices)
Ideal for:
✔ Organizations with on-premises
Active Directory
✔ Existing
domain-joined devices
Steps:
- Configure
Azure AD Connect
- Enable Hybrid Azure AD Join in AAD
Connect.
- Create
GPO for Auto-Enrollment
- Open Group Policy Management → Create
a new GPO.
- Navigate to:
Computer Configuration → Policies → Administrative Templates → Windows Components → MDM
- Enable "Enable automatic MDM enrollment
using default Azure AD credentials".
- Assign
GPO to Devices
- Link GPO to the desired OU.
- Device
Sync & Enrollment
- Run gpupdate /force →
Reboot → Device auto-enrolls.
4. Bulk Enrollment via Provisioning Packages
(Shared Devices)
Ideal for:
✔ Shared PCs (kiosks,
classrooms)
✔ Devices without user
association
Steps:
- Create
a Provisioning Package
- Use Windows Configuration Designer (WCD).
- Select "Provision desktop devices".
- Configure
Settings
- Set "Enroll in MDM" → Use
Intune tenant ID.
- Apply
Package
- Copy .ppkg to
USB → Run on target device.
5. Co-Management with ConfigMgr (For SCCM
Users)
Ideal for:
✔ Organizations using System
Center Configuration Manager (SCCM)
✔ Phased migration to
Intune
Steps:
- Enable
Co-Management
- In ConfigMgr Console, go to Administration
→ Cloud Services → Co-Management.
- Switch
Workloads to Intune
- Gradually move workloads (e.g., Compliance, Device
Config).
- Auto-Enroll
Existing Devices
- Set "Auto-enroll" in
co-management settings.
Comparison of Enrollment Methods
|
Method |
Best For |
User Interaction |
Management Level |
|
Autopilot |
New corporate devices |
Minimal (zero-touch) |
Full MDM |
|
Company Portal |
BYOD |
Manual enrollment |
MDM or MAM |
|
GPO Enrollment |
Hybrid AD environments |
Automatic |
Full MDM |
|
Bulk Enrollment |
Shared devices |
One-time setup |
Full MDM |
|
Co-Management |
SCCM migration |
Automatic |
Hybrid (Intune + SCCM) |
Troubleshooting Enrollment Issues
- Error: "Device cap reached" → Check license assignments.
- Error: "Enrollment blocked" → Verify Conditional Access policies.
- Logs:
Check Event Viewer → Applications and Services →
Microsoft-Windows-DeviceManagement-Enterprise-Diagnostics-Provider.
Next Steps
✅ Test with a pilot group
✅ Monitor
enrollment status in Intune portal
✅ Deploy
policies & apps post-enrollment
Need further
clarification on any method? Let me know!