Mastering the Automatic Enrollment of PCs into Microsoft Intune

Key Insights

Prerequisites and Licensing: Ensure you have the required Microsoft Entra ID licenses, Intune subscription, and valid user licenses.
Multiple Enrollment Methods: Utilize Windows Automatic Enrollment, Windows Autopilot, and Group Policy for Hybrid Azure AD joined devices.
Efficient Management and Monitoring: Configure proper enrollment settings, verify device compliance, and monitor using the Intune admin center.

Overview of Automatic Enrollment to Microsoft Intune

Enrolling PCs automatically into Microsoft Intune simplifies device management by enabling centralized control, security, and compliance across an organization's Windows endpoints. The automatic enrollment process uses a combination of configuration settings in Intune, integration with Azure Active Directory (Azure AD), and the application of policies via Group Policy or Windows Autopilot.

Organizations with a Microsoft Entra ID Premium (P1 or P2) and a valid Microsoft Intune subscription can trigger automatic enrollment. Once configured, devices that join Azure AD (whether corporate-owned or hybrid joined) will automatically be registered and managed within Intune, minimizing manual intervention. This process can occur during the initial Out-of-Box Experience (OOBE) or once the device is joined to Azure AD.

Step-by-Step Process for Automatic Enrollment

1. Verify Prerequisites

Before initiating the automatic enrollment process, ensure that:

Microsoft Entra ID Subscription: You have an active Microsoft Entra ID Premium (P1 or P2) license.
Intune Subscription: Your organization has subscribed to Microsoft Intune.
Appropriate Licensing: Users must have the necessary Intune licenses. For Windows PCs, ensure that the OS version is Windows 10 (version 1709 or later) or Windows 11.
Global Administrator Role: The person configuring the settings must be a Global Administrator in Microsoft Entra ID.

2. Configure Automatic Enrollment in Intune

a. Setup in the Intune Admin Center

Begin by accessing the Microsoft Intune Admin Center. From there:

Navigate to Devices > Windows > Windows enrollment.
Select the Automatic Enrollment option under the Windows tab.
Configure the MDM User Scope, either for all or a subset of users (through group assignment). This setting filters which users’ devices are automatically enrolled.
Save your configuration. If the automatic enrollment option isn’t available, verify your premium subscription or activate a trial if required.

b. Configuring Azure Active Directory (AAD) for Enrollment

To ensure that any PC joining Azure AD is automatically enrolled in Intune:

Go to the Azure portal (https://portal.azure.com) and navigate to Azure Active Directory.
Select Mobility (MDM and MAM) then locate Microsoft Intune settings.
Assign the MDM user scope to include target users or groups for enrollment.

3. Enrollment Methods

a. Windows Automatic Enrollment

With Windows Automatic Enrollment, devices are automatically registered in Intune as soon as the user logs in with their work or school account:

Azure AD Join: When a device is joined to Azure AD, it can automatically trigger MDM enrollment.
Group Policy Enrollment for Hybrid AD: For on-premises Active Directory environments, a Group Policy Object can be configured. This policy sets Windows to enroll automatically using default Azure AD credentials when the device is Hybrid Azure AD Joined.

To implement this, you need to modify Group Policy settings under Computer Configuration > Policies > Administrative Templates > Windows Components > MDM. Enabling the policy creates a scheduled task that enrolls the device in Intune automatically.

b. Windows Autopilot

Windows Autopilot streamlines the process of deploying and enrolling new devices:

Devices must be registered with Windows Autopilot and uploaded to the service.
Create a deployment profile in Intune that configures devices during the Out-of-Box Experience (OOBE), automatically joining them to Azure AD and enrolling in Intune.
This method is ideal for mass deployment and corporate-owned devices.

c. BYOD and Self-Service Enrollment

For Bring Your Own Device (BYOD) scenarios, users can manually enroll their personal devices:

Users sign into their device with a work or school account.
Select the option to “connect” their device for work or school purposes.
This self-enrollment can be complemented by policies in Intune that accommodate various device types and ownership models.

4. Testing and Verification

Once all configurations have been applied, it is crucial to test the enrollment process:

Have a test user sign into a PC to verify that the automatic enrollment process initiates correctly.
Check the Microsoft Intune admin center to confirm that the device is listed under enrolled devices.
Monitor logs and device details to ensure compliance and troubleshoot any issues.

Visual Data Representation

The radar chart below summarizes the strength of various enrollment methods based on ease of deployment, scalability, security, support, and user experience. Each metric is based on our aggregate analysis of common implementations.

Enrollment Overview Table

The table below offers a comprehensive comparison of the key methods for automatically enrolling PCs into Microsoft Intune, encompassing requirements, configuration steps, and ideal use scenarios.

Method	Prerequisites	Configuration Steps	Ideal For
Windows Automatic Enrollment	Microsoft Entra ID Premium Intune and valid OS version Global Admin role	Configure MDM User Scope via Intune Adjust Azure AD settings Use GPO for Hybrid joined devices	Domain-joined and Hybrid Azure AD Joined devices
Windows Autopilot	Microsoft Entra ID Premium Intune subscription Device registration with Autopilot	Create and assign Autopilot deployment profiles Configure OOBE settings for automatic enrollment	Corporate-owned, new devices
Group Policy Auto Enrollment	Active Directory and Hybrid Azure AD Join Windows 10 (1709+) MDM ADMX templates installed	Deploy a GPO to enable default Azure AD credential enrollment Verify device policies via Group Policy Management	Hybrid environments and on-premises domains

Embedded Learning Resource

For a more detailed walkthrough, check out this informative video demonstrating the steps to set up automatic enrollment into Microsoft Intune using Group Policy and Autopilot.