Microsoft Intune to automatically enroll CYO or BYO devices. You can scope automatic enrollment to some Azure AD users, all users, or none. This is an old post, but the concepts are still the same.
There is an option in the old classic Azure portal to set up Automatic Intune MDM enrollment for Windows 10 devices. A similar option is available in the new Azure portal with new names and a new look. More details about Windows 10 Intune Auto Enrollment Process are explained in this post.
Intune Admin Portal is one of the first things you have to learn. From this post, you understand what is where in Intune admin portal. The official name of the Intune admin portal is the Microsoft Intune Admin Center.
Introduction
The Intune Auto Enrollment option will help you to perform two (2) things, as explained below in the video. It’s an old video now, the patch to configure auto-enrollment is changed a bit, and I have explained it in the new Intune portal walkthrough video below.
- First, whenever a Windows 10 device is joined to Azure AD, then the device will automatically get enrolled into Intune for MDM Management.
- Second, the allowed users in the MDM user scope group can enroll devices into Intune.
More Details about Intune Auto-enrollment using Group Policy are explained in the following document here. And the Quick Start Guide for Windows auto-enrollment document here.
NOTE! – For Windows 10 BYOD devices, the MAM user scope takes precedence if both MAM user scope and MDM user scope (automatic MDM enrollment) are enabled for all users (or the same groups of users). The device will use Windows Information Protection (WIP) Policies (if you configured them) rather than being MDM enrolled.
Windows 10 Intune Auto Enrollment Process
Following is the place where you can set the MDM enrollment configuration in the new Azure portal. When your MDM User scope is set to None, then none of the enrolled devices get the proper policies, and those devices won’t work as expected.
- In the Microsoft Intune admin center, choose Devices -> Device Onboarding – Enrollment -> Windows.
- Click on Automatic Enrollment button.
Select the MDM user Scope to All or Custom Azure AD group as per your requirement. If it is set to None, users won’t be able to enroll the devices into Intune management.
The simplest option is to specify “all users” in the MDM user scope so that all the users in your organization can enroll their devices into Intune. Windows 10 devices will be automatically enrolled to Intune when the users perform Azure AD Join.
User groups can manage this option. When you want to provide a specific group of users the ability to enroll their devices into MDM/Intune, this is the place to configure that user group. Click on the SOME option in the MDM User scope and select the user group you want to provide access to.
From the same place, you can perform a granular or phase-wise approach to move users to new MDM management. There are 3 URL options in this blade, you can configure these URLs as per your MDM vendor.
Video Windows 10 Intune Auto Enrollment Process
This is an old video recorded using the Azure portal UI. The concept is the same, but the options are different in the new portal UI.
Windows 10 Airwatch Mobileiron Auto Enrollment Process?
In case your devices are managed by Airwatch or Mobileiron, then you can specify those URLs. All the URLs are automatically configured in the new Azure portal for Intune MDM. There are 3 different URLs in this blade.
1. MDM Terms of use URL – The URL of the terms of use endpoint of the MDM service
https://portal.manage.microsoft.com/TermsofUse.aspx
2. MDM Discovery URL – This is the URL of the enrollment endpoint of the MDM service. The enrollment endpoint is used to enroll devices for management with the MDM service. The URL given below is the Intune enrollment endpoint URL.
https://enrollment.manage.microsoft.com/enrollmentserver/discovery.svc
3. MDM Compliance URL – This is the URL of the compliance endpoint of the MDM service. When a user is denied access to a resource from a non-compliance device.URL can navigate to this URL hosted by Intune service in order to understand why their device is considered noncompliant. Users can also initiate self-service remediation so their devices become compliant and they can continue to access resources.
https://portal.manage.microsoft.com/?portalAction
So where is the option in new Azure portal to configure the MDM auto-enrollment setting for Windows 10 devices and MDM enrollment for rest of the devices (Android, iOS, and macOS)? Following is the place where you can configure Intune MDM enrollment option – Microsoft Azure – Mobility (MDM and MAM).
Windows 10 Intune Auto Enrollment Process Screen capture.
Reference Link :-Windows 10, Azure AD and Microsoft Intune: Automatic MDM enrollment powered by the cloud! – here
Author
Anoop is Microsoft MVP! He is a Solution Architect in enterprise client management with more than 20 years of experience (calculation done in 2021) in IT. He is a blogger, Speaker, and Local User Group HTMD Community leader. His main focus is on Device Management technologies like SCCM 2012, Current Branch, and Intune. E writes about ConfigMgr, Windows 11, Windows 10, Azure AD, Microsoft Intune, Windows 365, AVD, etc…
Hello Anoop, great article!
When integrating a third party vendor like MobileIron with Azure is it also possible to use Conditional Access policies in Azure with devices that are managed by that third party MDM vendor? Or what is the benefit if that integration?
Thank you!
Mike
Hey Mike – This was not possible one year back.Azure AD APIs were not publicly available to support 3rd party MDM solution. But not sure whether it’s supported now or not.
I HAVE QUATION FOR Intune on my admin portal I have client list with their pc and they are in classic veiew
and that way I manage all that pc
Now how can I transfer all that pc to their respective azure Intune portal appreciated if you
send me step by step processor [email protected]
We are in the same boat. We have clients in the Classic Intune with the intune client installed.
We want to move the devices to use MDM so what is the process of this.
How long should it take between when you see a device enrolled in Azure AD (via an AD sync in a hybrid environment) and when that device appears in intune/MDM. Can it take a long time? Hours? Days? I have a number of devices that have enrolled in Azure AD but still haven’t shown up in MDM. It has been about 18 hours.
Azure AD joined devices should be visible in Intune immediately
You are talking about Azure AD registration scenario via AAD sync … this won’t automatically happen…
You should have a group policy to get azure ad registered devices to enroll into Intune
I have the group policy enabled but it doesn’t seem to be working. I have even gone into individual machines and activated the policy at the desktop level, but still no joy. I have unregistered and reregistered these PCs several times.
Many PCs have already been registered through this process. It just seems to have stopped working or at least for the test machines I am playing with.
I have new devices enrolling with Intune. After time (15 minutes or so), they are added by query-based collection to a pilot for co-management. They initially enroll in Intune with display name (BCD123456) and show ‘ConfigMgr’ as the ‘Managed by’. Once ‘co-managed’ (they’re really not) in Intune, Intune displays the Management Name as the display name.
Interestingly, devices that have been SCCM managed for some time when added to pilot collection, enroll with correct name and are co-managed. (all devices built with same OSD task sequence).
This appears as some kind of timing, missing record update issue.
I have had a ticket(s) with Microsoft (Intune, SCCM and Azure) for a month with no traction or solution or even response.
My posting here is an act of desperation, a cry for help.
Have you seen this behavior? Any suggestions as to where to look for the root cause of why the Management name is being used once co-managed?
Thank you.