How to add and enroll devices to Microsoft Intune

What are the options for enrolling Windows devices?

There are multiple ways to enroll Windows devices in Intune, and the best option usually depends on whether the device is corporate-owned or personal, how much lifecycle control IT needs and how much setup work the user should have to do. There are different enrollment scenarios for personally owned and corporate-owned devices, with the goal of keeping personal devices personal and corporate devices corporate.

• Windows Autopilot. For corporate-owned devices, Windows Autopilot is the most common option. Windows Autopilot is a service with a collection of technologies that aims to simplify the initial setup and deployment of new devices. During that process, the device is automatically joined to Microsoft Entra ID and automatically enrolled into Microsoft Intune. After that process is completed, the device is ready for management and use.
• Microsoft Entra join with automatic enrollment. When using Windows Autopilot is not an option, IT administrators can set corporate-owned devices to automatically enroll into Microsoft Intune. They can do this by choosing to join the device to Microsoft Entra ID and providing a work or school account during the out-of-box experience (OOBE). During that process, the same end result of enrollment will happen as with the Windows Autopilot method. However, this approach offers a lot less control over the full lifecycle of the device and a less user-friendly experience.
• Bulk enrollment with provisioning package. When there are a lot of corporate-owned devices that IT needs to enroll, bulk enrollment with a provisioning package can be an efficient alternative to Autopilot. Admins can apply a provisioning package during the OOBE that ensures the device is automatically joined to Microsoft Entra ID and automatically enrolled into Microsoft Intune.
• Intune Company Portal app. For personally owned devices, the Intune Company Portal app is the most common option. The user can download and install the Intune Company Portal app from the Microsoft Store and walk through the process within the app to enroll the device into Microsoft Intune. Once this process is complete, the device is enrolled as a personal device with only a few management options and insights for IT to work with. For privacy-sensitive BYOD scenarios, Intune also supports MAM for unenrolled Windows devices, which can protect organizational data at the app level without enrolling the entire device.
• Connecting a work or school account. Another option for personally owned devices is to use the available process within the Settings app to add a work or school account. The result will be similar to the Intune Company Portal app but with fewer insights about the status of the device and no direct overview of the available apps.

What is the most common scenario for corporate-owned Windows devices?

The enrollment of corporate-owned devices with Windows Autopilot is the most commonly used scenario for enrolling Windows devices into Microsoft Intune. Within this scenario it is important that those devices are registered with the Windows Autopilot service. The easiest way to achieve this is by arranging that during the purchase process of those devices.

Most vendors and OEMs support enrollment at the time of purchase for new devices. Often this means the vendor gets access to the tenant to automatically upload the required information to those devices. When the vendor only provides a CSV file with the device information, the IT administrator must upload that information to the Windows Autopilot service.

Microsoft also offers Windows Autopilot device preparation as a newer deployment option. It is designed to simplify provisioning, improve troubleshooting and speed setup, and it uses a different model from the traditional registered-device workflow described below.

What are the requirements for using Windows Autopilot?

There are not many requirements that need to be in place before an IT administrator can use Windows Autopilot. Admins must make sure the following licenses and configurations are in place:

• At least Microsoft Entra ID P1 license for automatic enrollment and at least Microsoft Intune P1 for Intune management. IT must have both assigned to the users.
• Basic Intune tenant setup with the MDM authority set to Microsoft Intune.
• Devices running a supported version of Windows 11 in a supported edition, such as Windows 11 Pro, Enterprise or Education.
• An administrator account with at least the Global Administrator or the Intune Service Administrator Microsoft Entra role assigned.

Windows Autopilot is often the best fit for corporate-owned devices because it offers more control over setup and lifecycle management.

The following setup steps cover the traditional Windows Autopilot workflow that uses registered devices and deployment profiles.

How to set up automatic enrollment for Windows Autopilot using Intune

When admins use Windows Autopilot for automatic enrollment of devices to Microsoft Intune, there are a few activities they must perform.

Configure automatic enrollment

The first task is to configure automatic enrollment. Automatic enrollment will ensure the device is automatically enrolled into Microsoft Intune -- after joining Microsoft Entra ID.

1. Open the Microsoft Intune admin center and go to Devices > Enrollment, then open the Windows tab and select Automatic Enrollment.
2. On the Configure page, configure the MDM user scope by choosing one of the following options (Figure 1).
1. None. MDM automatic enrollment is disabled.
2. Some. MDM automatic enrollment is enabled only for the selected group.
3. All. MDM automatic enrollment is enabled for all users.
3. Leave MDM terms of use URL, MDM discovery URL, and MDM compliance URL to their default configuration and click Save to store the changes.

Register the devices with Windows Autopilot

The second task is to register devices with Windows Autopilot -- this is only necessary if the devices are not already registered by the vendor. This will use information accessible theough a CSV file.

1. Open the Microsoft Intune admin center and go to Devices > Windows > Enrollment, then under Windows Autopilot select Devices.
2. On the Windows Autopilot devices page, as shown in Figure 2, click Import. Select the CSV file and click Import again.

The Windows Autopilot devices overview also provides insights with important details that IT admins can use to filter and group devices. The most important of these is the Group tag, which IT can easily adjust. To create an Entra device group based on that tag use the following example code:

(device.devicePhysicalIds -any (_ -eq "[OrderID]:Example"))

Create a Windows Autopilot deployment profile

The third task is to create a Windows Autopilot deployment profile, configure the deployment mode of the devices and customize the user's OOBE. The following steps will walk through the creation of that profile:

1. Open the Microsoft Intune admin center and go to Devices > Windows > Enrollment, then under Windows Autopilot select Deployment Profiles.
2. On the Windows Autopilot deployment profiles page, select Create profile > Windows PC.
3. On the Basics page, specify a name for the profile and click Next.
4. On the Out-of-box experience (OOBE) page, configure at least the first two settings and click Next (Figure 3).
1. Deployment mode. Select User-Driven for a standard Windows Autopilot deployment, in which users provide their credentials during the enrollment and the device is assigned to that user.
2. Join to Microsoft Entra ID as. Select Microsoft Entra joined for the Microsoft recommended location to join new devices. Organizations that still depend on on-premises Active Directory can use Microsoft Entra hybrid join with Windows Autopilot, but Microsoft recommends Microsoft Entra join for new devices.
3. For the remaining settings, choose what's applicable based on internal policies. Determine which pages should be shown, choose the account type, configure the language and determine the name standard.
5. On the Scope tags page, click Next.
6. On the Assignments page, configure the appropriate assignment of the profile based on an Entra device group. Consider using a group based on a Group tag.
7. On the Review + create page, review the configuration and click Create.

After these configurations are complete, IT can use Windows Autopilot to deploy corporate-owned devices with a more consistent setup experience and stronger lifecycle control than lighter-touch enrollment methods. Admins should also configure an Enrollment Status Page so required apps and policies apply before the device is handed over for use.

Editor's note: This article was updated in April 2026 to reflect current Microsoft Intune enrollment guidance and improve the reader experience.

Peter van der Woude works as a mobility consultant and knows the ins and outs of the ConfigMgr and Microsoft Intune tools. He is a Microsoft MVP and a Windows expert as well.