Skip to content

Device Enrolment

Windows — Auto-Enrolment

Enable automatic MDM enrolment via Entra ID join or Hybrid Azure AD Join:

Intune admin center → Devices → Enrol devices → Windows enrolment → Automatic enrolment

Setting Value
MDM user scope All (or a pilot group)
MAM user scope None (unless also using MAM-WE)

Once enabled, Windows devices that are Entra ID joined or Hybrid joined automatically enrol in Intune without user action.

Windows Autopilot

Autopilot enables zero-touch provisioning — new devices are shipped directly to users and configure themselves.

Setup steps

  1. Hardware hash collection: Ask OEM/reseller to submit hardware hashes on purchase, or collect from existing devices:

    # Run on the device being registered
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -Online

  2. Register devices: Intune admin center → Devices → Enrol devices → Windows enrolment → Windows Autopilot Deployment Program → Devices → Import (CSV file)

  3. Create deployment profile: Intune admin center → Devices → Windows enrolment → Deployment profiles

    Setting Recommended value
    Deployment mode User-driven
    Join to Azure AD as Azure AD joined
    Microsoft Software Licence Terms (EULA) Hide
    Privacy settings Hide
    Hide change account options Hide
    User account type Standard
    Language (region) OS default
    Automatically configure keyboard Yes
    Apply device name template PC-%SERIAL% or CORP-%RAND:4%

  4. Assign profile to the device group (or All Devices)

  5. Enrolment Status Page: Configure to block device use until required apps are installed:

    • Show app and profile configuration progress — Yes
    • Show error when installation takes longer than X minutes — 60
    • Allow users to reset device if installation error occurs — Yes

iOS / iPadOS Enrolment

Apple Business Manager (ABM) integration

  1. Create an Apple Business Manager account at business.apple.com
  2. Intune admin center → Devices → iOS/iPadOS → Enrolment → Apple enrolment → Enrolment program tokens
  3. Generate an MDM server token in ABM → upload to Intune
  4. Sync devices from ABM into Intune

Automated device enrolment (supervised, zero-touch)

Create a profile in Enrolment program tokens → Create profile:

Setting Value
User affinity Enrol with User Affinity (for personal use devices) / Enrol without User Affinity (shared/kiosk)
Supervised Yes
Locked enrolment Yes (users cannot unenrol)
Sync with computers Disallow all
Await final configuration Yes
Require Touch ID / Face ID Yes

Setup Assistant screens to hide: Appearance, iCloud Sign-In, Location Services, Siri, Screen Time, Privacy, Payment (tailor to your policy).

Android Enrolment

Android Enterprise — Work Profile (BYOD)

For personal devices, Work Profile creates a separate container for corporate apps/data:

Intune admin center → Devices → Android → Android enrolment → Managed Google Play

  1. Connect Intune to Managed Google Play (corporate Google account)
  2. Create an enrolment profile: Devices → Android → Android enrolment → Enrolment profiles → Create profile
    • Profile type: Android Enterprise — Personally-owned work profile

Android Enterprise — Fully Managed (Corporate)

For corporate-owned devices with full management:

  • Profile type: Android Enterprise — Fully managed
  • Enrolment token: Share QR code or token with device setup

macOS Enrolment

Apple Business Manager + automated enrolment

Same process as iOS — add macOS MDM server in ABM and create an enrolment profile.

Alternatively, for existing devices, use the Company Portal app for user-initiated enrolment.

Enrolment Restrictions

Control which device types can enrol:

Intune admin center → Devices → Enrol devices → Enrolment device platform restrictions

Restriction Recommended setting
iOS minimum OS version 16.0
Android minimum OS version 12.0
Windows minimum OS version 10.0.19041 (Windows 10 2004)
Block personal Windows devices Consider Yes (require corporate AAD join)
Block personally-owned Android No (allow Work Profile)