When users login to their Windows devices they can be automatically enrolled into Intune to allow their devices to be managed. This is also known as MDM user scope.
Enrolling devices into your environment is one of the steps in configuring Microsoft Intune within Azure AD. When it comes to managing devices, configuring automatic enrollment is one of the most useful features .
When users sign into their Windows device using their work credentials during the initial setup or adds a work account. Intune can automatically enroll the device, enabling the management of the device. This is controlled by MDM user scope.
Automatic enrollment allows you to see and control devices used for work, setting policies and ensuring compliance.
Enable automatic enrollment in Microsoft Intune
-
Sign into the client tenant here.
-
Click Devices -> Windows -> Windows enrollment -> Automatic Enrollment.
Note: This setting affects all devices not just windows devices, even though the setting is located under Devices and Windows.
-
Note that by Selecting Some, you can choose designated groups in Azure Active Directory (AAD) that will receive automatic enrollment. This is useful for testing and for situations where you only want to enroll some users / groups.
-
To add groups, click No groups selected and select the group you would like to target.
-
Click Select and then Save.
Some clients may choose to select All to automatically enroll all devices rather than a specific group. Group enrollment can be a great option if you want to test Intune in your environment before deploying to the entire business or restrict enrollment to specified users.
Licensing requirements for Microsoft Intune
Your users must be licensed for Intune and Intune service must be turned on in the license for automatic enrollment to work.
Intune is included in the following licenses
-
Microsoft 365 E5
-
Microsoft 365 E3
-
Enterprise Mobility + Security E5
-
Enterprise Mobility + Security E3
-
Microsoft 365 Business Premium
-
Microsoft 365 F1
-
Microsoft 365 F3
-
Microsoft 365 Government G5
-
Microsoft 365 Government G3Microsoft 365 Education A5
-
Microsoft 365 Education A3
You must also ensure that the Intune service is turned on in the license:
You can create a dynamic group with the following rule that will automatically be populated with users that are licensed for Intune and have the service turned on.
user.assignedPlans -any (assignedPlan.servicePlanId -eq “c1ec4a95-1f05-45b3-a911-aa3fa01094f5” -and assignedPlan.capabilityStatus -eq “Enabled”)
Plan service ID can be obtained here: https://docs.microsoft.com/en-us/azure/active-directory/enterprise-users/licensing-service-plan-reference.
Have more questions about Microsoft Intune?
We offer several services for Microsoft Intune, from implementation to support. If you have more questions about Microsoft Intune, contact us or check out our Endpoint Support service.
Terrence Brown
Terrence is our Senior Engineer in the US and works with clients in the Microsoft O365 space helping to design and development Endpoint Management solutions. Terrence is a Marine Corps veteran and graduate of Kaplan University. Prior to joining Mobile Mentor, Terrence spent over 5 years working for a Microsoft top 10 Consulting partner in the SCCM and O365 technology space where he implemented and designed solutions for different clients both large and small.
