Ask Downloads
Domain 1 β€” Module 4 of 7 57%
4 of 27 overall
Domain 1: Prepare Infrastructure for Devices Free ⏱ ~12 min read

Auto-Enrollment & Bulk Enrollment

Enrolling devices one by one doesn't scale. Learn how auto-enrollment uses Entra ID join to trigger Intune enrollment, and how bulk enrollment handles iOS, Android, and Windows at volume.

Why auto-enrollment?

Simple explanation

Imagine a gym where signing up at the front desk also gives you a locker key β€” automatically.

That’s auto-enrollment. When a Windows device joins (or registers with) Microsoft Entra ID, it automatically enrolls in Intune too β€” no extra steps. One action, two outcomes: cloud identity AND device management.

For iOS and Android at scale, bulk enrollment methods skip the one-by-one setup entirely β€” you configure once, and hundreds of devices enroll themselves when unboxed.

Windows auto-enrollment

Sam at Tui Solutions wants every Windows device to enroll in Intune the moment it joins Entra ID. Here’s how:

Setup (3 steps)

  1. Entra admin center β†’ Mobility (MDM and MAM) β†’ Microsoft Intune
  2. Set MDM user scope to β€œAll” (or a specific group)
  3. Optionally set MAM user scope for app-level management of unmanaged devices
Scope SettingWhat It Does
MDM user scope = AllEvery user’s device auto-enrolls when Entra Joined or Hybrid Joined
MDM user scope = SomeOnly devices belonging to users in the selected group auto-enroll
MDM user scope = NoneNo auto-enrollment (manual enrollment only)
MAM user scopeEnables app protection without full device enrollment (for registered/BYOD devices)

What triggers auto-enrollment?

ActionResult
Entra Join (Windows OOBE or Settings)Device auto-enrolls in Intune MDM
Hybrid Join (via Entra Connect + GPO)Device auto-enrolls via GPO trigger or Entra Connect
Entra Registration (personal device)Auto-enrolls in MAM only (if MAM scope configured)
Windows AutopilotUses auto-enrollment as part of the provisioning flow
Exam tip: MDM scope vs MAM scope

The exam tests whether you know the difference:

  • MDM scope = full device management (Entra Joined or Hybrid Joined devices)
  • MAM scope = app-level management only (Entra Registered / BYOD devices)

If a user’s device is Entra Joined and the MDM scope is set to β€œAll,” the device automatically enrolls for full management. If a personal device is Entra Registered and only MAM scope is set, only app protection policies apply β€” Intune doesn’t manage the device itself.

Licence requirement: Entra ID P1 or P2 is required for auto-enrollment. This is included in M365 E3/E5 but NOT in M365 Business Basic.

iOS/iPadOS bulk enrollment

For corporate-owned iPhones and iPads, Apple provides Automated Device Enrollment (ADE) through Apple Business Manager (ABM).

How it works

  1. Apple Business Manager β€” your org registers with Apple and gets an ABM account
  2. Link ABM to Intune β€” download a token from ABM, upload it to Intune
  3. Assign devices to Intune β€” when you purchase devices through Apple or authorised resellers, serial numbers appear in ABM
  4. Create an enrollment profile β€” define settings (supervised mode, skip setup screens, etc.)
  5. User unboxes the device β€” it connects to Wi-Fi, contacts Apple, gets redirected to Intune, and enrolls automatically
ABM FeatureWhat It Does
Supervised modeGives full management control β€” required for many enterprise restrictions
Skip Setup Assistant screensUsers skip Apple ID, location, Siri, etc. during setup
Assign to Intune MDM serverDevices automatically point to your Intune tenant
User affinityOptional: associate the device with a specific user (for personal corporate devices)

Key exam concept: ADE devices are supervised by default, giving admins the deepest level of control. This is different from user-enrolled iOS devices, which have limited management.

Android enrollment profiles

Android has the most enrollment options because Google offers different management levels. Sam needs to understand all four for Tui Solutions’ mixed Android fleet.

FeatureFully ManagedDedicatedCorporate Work ProfilePersonal Work Profile
Device ownershipCorporateCorporate (shared)CorporatePersonal (BYOD)
User affinityYes (one user)No (shared)Yes (one user)Yes (one user)
Admin control levelFull deviceFull device (kiosk/signage)Work profile + device-levelWork profile only
Personal apps allowedAdmin decidesNo (single-purpose)Yes, in personal profileYes (device owner controls)
Enrollment methodQR code, NFC, token, zero-touchQR code, NFC, token, zero-touchQR code, NFC, token, zero-touchCompany Portal app
Best forCorporate-only phones/tabletsKiosks, shared tablets, digital signsCorporate phone where user also has personal appsEmployee's own phone accessing work email
Factory reset requiredYesYesYesNo

Android enrollment setup

  1. Connect to Managed Google Play β€” link your Intune tenant to Google’s enterprise service
  2. Create enrollment profiles β€” one per management type (fully managed, dedicated, etc.)
  3. Generate enrollment tokens β€” QR codes or NFC tags for corporate devices
  4. For BYOD β€” users install Company Portal from Google Play and sign in
Deep dive: Android zero-touch enrollment

Zero-touch enrollment is Google’s equivalent of Apple’s ADE. Devices purchased from participating resellers are pre-registered with your Intune tenant. When a user turns on the device, it automatically configures itself without any manual steps.

Requirements:

  • Device must be purchased from a zero-touch reseller
  • Device must run Android 9.0 or later
  • Intune tenant must be linked to Managed Google Play

This is the most seamless Android enrollment method for corporate devices. Samsung also offers Samsung Knox Mobile Enrollment (KME) β€” a similar OEM-specific alternative that works with Samsung devices running Knox 2.8+.

Bulk enrollment for Windows

For Windows devices that can’t use Autopilot (e.g., no internet during setup), provisioning packages offer offline bulk enrollment:

  1. Use Windows Configuration Designer (WCD) to create a .ppkg file
  2. Include Entra join settings, Intune enrollment, Wi-Fi config, and apps
  3. Apply the package via USB or network share during OOBE
  4. Devices join Entra ID and enroll in Intune without internet (settings apply when connected)

We’ll cover provisioning packages in detail in Module 10.

🎬 Video walkthrough

Flashcards

Question

What triggers Windows auto-enrollment in Intune?

Click or press Enter to reveal answer

Answer

An Entra ID join or registration event. When a device joins (or registers with) Entra ID and the MDM user scope is configured, Intune enrollment happens automatically. Requires Entra ID P1 or P2.

Click to flip back
Question

What is Apple Automated Device Enrollment (ADE)?

Click or press Enter to reveal answer

Answer

Apple's bulk enrollment method via Apple Business Manager. Corporate iOS/iPadOS devices are pre-assigned to Intune. When unboxed, they auto-enroll in supervised mode. Formerly called DEP (Device Enrollment Program).

Click to flip back
Question

Name the four Android enrollment types in Intune.

Click or press Enter to reveal answer

Answer

1. Fully Managed (corporate, full control) 2. Dedicated (shared/kiosk devices) 3. Corporate-Owned Work Profile (corporate phone, work + personal profiles) 4. Personal Work Profile (BYOD, work profile only)

Click to flip back
Question

What's the difference between MDM scope and MAM scope in Entra auto-enrollment?

Click or press Enter to reveal answer

Answer

MDM scope = full device management for Entra Joined/Hybrid Joined devices. MAM scope = app-level management only for Entra Registered (BYOD) devices. Both are configured in Entra ID under Mobility settings.

Click to flip back

Knowledge Check

Knowledge Check

Sam configures auto-enrollment with MDM user scope set to 'All.' A user joins their corporate laptop to Entra ID. What happens next?
Knowledge Check

Riko at Pixel & Co needs to set up 20 new corporate-owned iPads for the design team. The iPads were purchased through an Apple authorised reseller. What's the most efficient enrollment method?
Knowledge Check

A company needs kiosk tablets in their retail stores that display a single inventory app. No user signs in β€” the tablets are shared. Which Android enrollment type is correct?

Next up: Intune RBAC & Windows Hello for Business β€” controlling who can do what in Intune, and going passwordless.