User Self-Enrollment Options in Intune

The course is part of this learning path

Start course

In this course, we review the enrollment options available and processes to follow for enrolling Windows devices in Microsoft 365.

Learning Objectives

  • An overview of the different enrollment methods for Windows devices
  • Understand the self-enrollment options
  • Understand the administrator-based enrollment options
  • Know how to enable Windows automatic enrollment

Intended Audience

This course is intended for those who wish to learn about enrolling Windows devices in Microsoft 365 via Intune and Mobile Device Manager.


You will require a basic understanding of Mobile Device Management in Microsoft 365.

Welcome to self-enrollment options in Intune. In this lesson, we’ll take a closer look at the options that are available for user self-enrollment of Windows devices in Intune. Let’s start with BYOD. Using the BYOD enrollment option allows users to self-enroll their personal devices via the Company Portal App, which needs to be downloaded and installed on the device.

This enrollment process is pretty straightforward. First, the user registers their device with Azure AD so that they can use corporate resources like email. Then, the user enrolls the device in Intune as a personally owned device, or a BYOD device.

Now, I do need to mention here that if you’ve configured Auto enrollment, which is only available with an Azure AD premium subscription, users only have to enter their credentials once during BYOD enrollment. However, if you have NOT configured auto enrollment, users will need to enroll separately through MDM-only enrollment, which means they’ll need to reenter their credentials.

While MDM-only enrollment IS an option to allow users to enroll an existing Workgroup-based, Active Directory-joined, or Azure Active directory joined PC into Intune, it’s not recommended because the device doesn’t get registered into Azure AD, meaning the users may not be able to access to organization resources. It also prevents the use of some Azure AD features, like Conditional Access.

Azure AD Join is another common way to enroll Windows devices in Intune. It joins devices with Azure AD and allows the device users to use their Azure AD credentials to sign into Windows. If you’ve enabled Auto Enrollment, devices are automatically enrolled in Intune, which turns this kind of enrollment process into a single step for the user. That said, as was the case with BYOD, if you have not enabled auto enrollment, the users will need to enroll separately through MDM-only enrollment and reenter their credentials. 

I should point out that users can enroll via Azure AD Join either during initial Windows out of box experience, or from Settings. It’s also important to note that devices that join via Azure AD Join are marked as a corporate owned device in Intune.

The last self-enrollment option I want to cover here is Autopilot. Autopilot enrollment allows you to automate Azure AD Join. It also enrolls new org-owned devices into Intune. While this method is a bit more complicated to setup, it really simplifies the out-of-box experience for end users and eliminates the need for custom OS images for your devices. 

Using Intune to manage Autopilot devices allows you to manage stuff like profiles, policies, and apps on devices that have been enrolled. There are four different types of Autopilot deployment available. You have Self-Deploying Mode, User Driven Mode, Windows Autopilot for pre-provisioned deployment, and you have Autopilot for existing devices.

Self-deploying mode allows you to deploy devices with little or no user interaction. It joins devices to Azure Active Directory and enrolls them in Intune, using Azure AD for automatic MDM enrollment. Self-deploying mode also ensures that all policies, apps, certificates, and networking profiles are provisioned on your devices.

You can use User-driven mode to configure new Windows devices and automatically change them from their factory state to a ready-to-use state, without any need for IT to touch the devices. The user-driven mode of enrollment is pretty straightforward. All you have to do is ship your devices to your users and instruct them to unbox the device, plug it in, and turn it on. All the user will have to do is choose a language, locale, and keyboard.

After connecting the device to a wireless or wired network with internet access, the user specifies their e-mail address and password for their organization account. At that point, the device automatically joins the organization, enrolls in Intune, and gets configured per the policies that have been setup for the organization.

The Windows Autopilot for pre-provisioned deployment option used to be called the Windows Autopilot white glove feature. Windows Autopilot allows you to easily provision new Windows devices by using the preinstalled OEM image and drivers. 

However, it can also provide a pre-provisioning service that allows you to pre-provision fully configured Windows PCs. Using the Windows Autopilot for pre-provisioned deployment option, the provisioning process is actually split up. The hard parts are done by IT or OEM, meaning all the user has to do is complete a handful of settings and policies before they can start using their devices.

The image on your screen gives a high-level view of what this process looks like:

I do need to point out that pre-provisioned deployments require Windows 10, version 1903 and later, and they support user-driven mode scenarios for Azure AD joined machines and Hybrid Azure AD joined devices. To read more about the details of this enrollment method, including detailed prerequisites, and the workflow, visit the URL on your screen:

And the last autopilot option I want to touch on is Autopilot for existing devices. Using modern desktop deployment with Windows Autopilot, you can deploy the latest version of Windows to existing devices in your organization. You can even automatically install the apps that your users need for their jobs.

Autopilot for existing devices allows you to convert existing domain-joined Windows 7 and Windows 8.1 computers to Windows 10 or Windows 11 devices that are joined to either Azure AD or are Hybrid Azure AD Joined. That said, you can’t use it to transform hybrid Azure AD devices into Azure AD Autopilot devices.

I should also mention that self-deploying and pre-provisioning profiles are not supported by Autopilot for existing devices. To use Autopilot for existing devices, you need to first meet a few prerequisites. You need a currently supported version of Microsoft Endpoint Configuration Manager current branch and access to the Windows Assessment and Deployment Kit.

From a licensing perspective, you need to assign Microsoft Intune Licenses to those who will be included in your deployment, and you need to be running a premium edition of Azure Active Directory. And, of course, you also need to have a supported version of Windows 10 or Windows 11 imported into Configuration Manager. This is used as the OS image for the transformations.

The overall process for enrolling pre-existing devices with Autopilot starts with configuring the Enrollment Status Page. It's an optional step, but it's useful for tracking the installation of apps, security policies, certificates, and network connections. 

Next, you need to create the AutopilotConfigurationFile.json file. This is the Autopilot profile, and it must be saved as a JSON file in either ASCII or ANSI format.  After creating your JSON file, you need to create a package containing the file. This package is what gets deployed to your machines that you'll be converting. With the package created, you can then create a target collection of machines you are targeting.

At this point you need to create an Autopilot for existing devices Task Sequence. This task sequence will run the Prepare Windows for capture action on the target machines. It uses the Sysprep tool to do this. I should point out that the Prepare Windows for capture action will fail if the target machine is joined to a domain. This is because running Sysprep would knock it off the domain.

Next, you need to specify a content destination that contains your JSON file and any content that's required for the task sequence you've defined. At this point, you can deploy the new OS, using the Autopilot Task Sequence. 

After deploying the new OS to your target machines, the installation process can be completed on those machines. To do this, while on the target machine, which should be running Windows 7 or 8.1, click Start, and then type "Software Center" and press Enter. You'll see Autopilot for existing devices in the library. Select it and click Install.

The last step in the process is the registration of the device for Windows Autopilot. This can be done manually, or you can enable automatic registration for an assigned group. To do this, you'd use the "Convert all targeted devices to Autopilot" setting. Once the machine is enrolled, the process is complete.

To read about the details of each step, visit the URL that you see on your screen.

About the Author
Learning Paths

Tom is a 25+ year veteran of the IT industry, having worked in environments as large as 40k seats and as small as 50 seats. Throughout the course of a long an interesting career, he has built an in-depth skillset that spans numerous IT disciplines. Tom has designed and architected small, large, and global IT solutions.

In addition to the Cloud Platform and Infrastructure MCSE certification, Tom also carries several other Microsoft certifications. His ability to see things from a strategic perspective allows Tom to architect solutions that closely align with business needs.

In his spare time, Tom enjoys camping, fishing, and playing poker.