Intune Enrollment by Platform
Key Takeaways
- Intune enrollment is the management relationship that lets devices receive policies, apps, profiles, and compliance evaluation.
- Windows automatic enrollment depends on Microsoft Intune being selected for MDM enrollment and the user being included in the MDM user scope.
- Enrollment restrictions and device limit restrictions are pre-enrollment controls; compliance policies evaluate devices after they are enrolled.
- For iOS/iPadOS corporate devices, Automated Device Enrollment through Apple Business Manager or Apple School Manager provides supervised, scalable enrollment profiles.
- For Android Enterprise, choose dedicated for userless devices, fully managed for work-only single-user devices, and corporate-owned work profile for company devices that also allow personal use.
Enrollment turns identity into management
Microsoft describes device enrollment as the process that lets endpoints receive the policies and profiles you configure in Intune. On MD-102, enrollment questions often ask what must be configured before a device can enroll, which enrollment profile matches a platform, or which setting blocks an unwanted enrollment path.
Think in layers. Device identity tells Microsoft Entra ID what the device is. Enrollment tells Intune that the device can be managed. Compliance tells Microsoft Entra Conditional Access whether the managed device meets requirements.
| Control | When it applies | What it answers |
|---|---|---|
| MDM user scope | During Windows join or registration | Which users trigger automatic Intune enrollment? |
| Platform enrollment restriction | Before enrollment completes | Are personal or corporate devices allowed for this platform? |
| Device limit restriction | Before enrollment completes | How many devices can a user enroll? |
| Corporate device identifiers | Before or during enrollment | Can Intune classify supported devices as corporate-owned? |
| Enrollment profile | During platform-specific setup | What setup experience, ownership, user affinity, and management mode should the device receive? |
| Compliance policy | After enrollment | Does the device meet security requirements? |
Windows enrollment decisions
For Windows, the exam heavily tests automatic enrollment. In the Intune admin center, automatic enrollment is configured under Devices > Enrollment > Windows > Automatic Enrollment. The critical setting is the Microsoft Intune MDM user scope, which can be set to All, Some, or None. If a user joins a Windows device to Microsoft Entra ID but is outside the MDM user scope, the join can succeed while Intune enrollment never starts.
Windows enrollment options include:
- Automatic MDM enrollment for Microsoft Entra joined or registered Windows devices when the user is in scope.
- Windows Autopilot enrollment profiles for new or reset corporate devices; the deeper Autopilot deployment-mode material belongs mostly to the Manage and maintain devices domain, but the MDM scope and enrollment profile still matter here.
- Bulk enrollment with provisioning packages for userless or staged corporate Windows devices. Microsoft states that Windows bulk enrollment uses Windows Configuration Designer and requires Windows automatic enrollment to be enabled.
- Device Enrollment Manager accounts when technicians must enroll many corporate devices. Microsoft documents DEM accounts as nonadministrator users that can enroll and manage up to 1,000 devices, compared with 15 for a standard nonadmin account.
iOS/iPadOS enrollment decisions
For corporate-owned Apple mobile devices, use Automated Device Enrollment (ADE) through Apple Business Manager or Apple School Manager. ADE supports supervised devices, zero-touch deployment, bulk enrollment, single-user devices, shared or userless devices, and direct shipment to users. Prerequisites include an Intune tenant with MDM authority set to Intune, an Apple MDM push certificate, and Apple enrollment tokens/profiles.
A typical iOS/iPadOS corporate flow is:
- Connect Apple Business Manager or Apple School Manager to Intune with an enrollment token.
- Create an ADE enrollment profile that defines user affinity, authentication, Setup Assistant behavior, and supervision-related settings.
- Assign the profile to synced Apple device records or set a default profile for the token.
- Ship devices to users; Apple Setup Assistant starts enrollment when the device turns on.
For personal iPhones and iPads, do not use ADE. Use Apple user enrollment, device enrollment, or mobile application management without enrollment depending on how much control the organization needs. If the requirement is to block personal iOS/iPadOS devices while allowing corporate devices, configure ownership recognition first, such as ADE device records or corporate identifiers, and then enforce platform enrollment restrictions.
Android Enterprise enrollment decisions
Android Enterprise has several profile types, and MD-102 questions often hide the answer in ownership and user-affinity words.
| Android Enterprise profile | Best scenario | Exam clue |
|---|---|---|
| Dedicated device | Kiosk, shared scanner, digital sign, frontline task device | No primary user, locked-down use, managed app set. |
| Fully managed | Corporate-owned, single-user, work-only device | The organization controls the whole device and personal use is not intended. |
| Corporate-owned work profile | Company-owned device with work and personal separation | User can keep personal apps/data private while the company controls work profile and some device settings. |
| Personally owned work profile | BYOD Android | Employee owns the device; management is limited to the work profile. |
Corporate Android enrollment profiles generate tokens or QR codes and can also work with Google Zero Touch, Samsung Knox Mobile Enrollment, NFC, or token entry depending on the profile and device support. Microsoft specifically notes that fully managed and corporate-owned work profile devices use enrollment tokens/profiles, and Android setup can require Conditional Access exclusions for the Microsoft Intune cloud app if a broad compliant-device policy would otherwise block enrollment.
Platform restriction patterns
Use enrollment restrictions to stop unwanted enrollment before the device joins Intune. For example, block personally owned Android devices while allowing Android Enterprise corporate-owned enrollment. Use device limit restrictions when the requirement is per-user quantity, such as no more than three enrolled devices. Use compliance policies only after enrollment; they do not prevent the initial enrollment attempt.
Exam checklist
- For Windows automatic enrollment problems, check licensing and MDM user scope first.
- For iOS/iPadOS corporate zero-touch, think Apple Business Manager or Apple School Manager plus ADE profile.
- For Android kiosks, choose dedicated devices; for work-only single-user, choose fully managed; for corporate device with personal use, choose corporate-owned work profile.
- For blocking personal enrollment, use platform enrollment restrictions and ownership recognition, not compliance policy.
- For staging many devices with one identity, consider DEM or platform-specific bulk enrollment only when the scenario fits.
A pilot group joins new Windows 11 laptops to Microsoft Entra ID during out-of-box setup. The devices appear in Microsoft Entra ID, but they never appear as managed devices in Intune. The users have Intune licenses. Which setting should you check first?
A company buys 2,000 iPads through Apple Business Manager and wants them supervised, assigned an enrollment profile, and shipped directly to employees without technicians touching each device. Which enrollment method should you configure?
Warehouse barcode scanners run Android and are shared by many shift workers. The devices should have no personal profile, no primary user, and only approved work apps. Which Android Enterprise profile best matches the requirement?
Security wants to prevent employees from enrolling personal Android phones while allowing approved corporate Android Enterprise devices to enroll. Which control should be used to stop the personal devices before enrollment completes?