Windows enrollment Configuration Settings:
1.Configure Windows devices
to enroll when they join or register with Azure Active Directory.
To configure Windows devices to automatically enroll
when they join or register with Azure Active Directory (Azure AD), you
primarily set up automatic MDM enrollment for Windows devices
in Azure AD integrated with Microsoft Intune. This ensures devices get enrolled
in Intune management as soon as they perform an Azure AD join or device
registration.
Here are the key steps to configure this automatic
enrollment:
- Sign
in to the Azure portal and go to Microsoft Entra ID (formerly
Azure AD).
- Navigate
to
Devices > Enroll devices > Mobility (MDM and MAM). - Under Microsoft
Intune, configure the automatic enrollment settings:
- MDM
user scope: Set this to either All to allow all
users to auto-enroll devices, or Some if you want only
users in specific Azure AD groups to auto-enroll.
- If
you select Some, specify the user groups allowed to
auto-enroll.
- Save the
changes.
Enabling this setting triggers devices to automatically
enroll into Intune MDM whenever a user performs:
- Azure
AD Join during device setup (e.g., new Windows Autopilot device
or manual Azure AD Join),
- OR
device registration (for personal BYOD scenarios using user enrollment).
This automatic enrollment streamlines device management by
ensuring devices become enrolled in Intune as part of the Azure AD join or
registration process, with no additional manual enrollment steps needed.
2.Cname Validation
in windows automatic enrollment
CNAME validation in
Windows automatic enrollment refers to creating and verifying DNS CNAME
records that enable Windows devices to automatically discover and connect to
Microsoft Intune's enrollment servers during Azure AD join or registration
without requiring users to manually enter server information.
Why is CNAME
Validation Needed?
·
Windows devices use DNS CNAME records to locate
the MDM (Mobile Device Management) server automatically when enrolling with
Intune.
·
Without the correct CNAME records, users can be
prompted to manually enter the enrollment server URL (enrollment.manage.microsoft.com),
which complicates and delays the enrollment process.
·
Proper CNAME records streamline enrollment by
enabling seamless auto-discovery of the Intune enrollment server during device
setup or registration.
What CNAME Records
Are Required?
1. Enrollment CNAME Record
Points to the Intune enrollment server and enables auto-discovery for Windows
devices during automatic enrollment.
|
Type |
Host Name |
Points to |
TTL |
|
CNAME |
EnterpriseEnrollment.<your_domain> |
EnterpriseEnrollment-s.manage.microsoft.com |
1 hour |
o <your_domain>
should be your company’s registered domain matching the user principal name
(UPN) suffix.
o The
target EnterpriseEnrollment-s.manage.microsoft.com is preferred because it does
not require user confirmation,
simplifying enrollment.
o Alternate
targets like EnterpriseEnrollment.manage.microsoft.com or manage.microsoft.com
work but prompt an extra confirmation from the user.
2. Registration CNAME Record (for Azure AD
device registration)
Needed if you are using Conditional Access policies and want smoother device
registration.
|
Type |
Host Name |
Points to |
TTL |
|
CNAME |
EnterpriseRegistration.<your_domain> |
EnterpriseRegistration.windows.net |
1 hour |
How to Validate CNAME
Records
·
After creating the CNAME DNS records in your
domain registrar or DNS hosting platform, wait for DNS propagation (can be up
to 72 hours).
·
Use online DNS propagation tools (like MxToolbox
or DNSchecker) to verify the DNS records have propagated.
·
In the Microsoft
Intune Admin Center:
a. Navigate
to Devices > Windows > Windows
enrollment > CNAME Validation.
b. Enter
your domain (e.g., imech544.onmicrosoft.com).
c. Click
Test.
·
If the message returned is “CNAME for yourdomain.com has been configured correctly,”
validation succeeded.
Additional Notes
·
If you have multiple UPN suffixes/domains (e.g.,
contoso.com, us.contoso.com),
create a CNAME record for each one.
·
For BYOD and personal device user enrollment,
the CNAME is not required.
·
CNAME records are specifically crucial for Windows device auto-enrollment
scenarios via Azure AD join and Autopilot deployments.
·
Alternate redirection methods, like proxying or
URL rewriting, are not supported,
and CNAMEs must be direct aliases.
Summary Table
|
Purpose |
CNAME Host Name |
Points to |
Notes |
|
Windows enrollment |
EnterpriseEnrollment.your_domain.com |
Preferred target, no user confirmation prompt |
|
|
Azure AD device registration |
EnterpriseRegistration.your_domain.com |
Required for Conditional Access device registration |
In essence, CNAME
validation ensures that Windows devices can automatically and transparently
discover the correct Microsoft Intune enrollment servers during Azure AD
join or registration for automatic enrollment. It is a best practice that
simplifies user experience and deployment automation.
Device Type Restrictions VS Device Limit Restrictions:
In Microsoft Intune, two independent policies, Device Type
Restrictions and Device Limit Restrictions, provide control over the process of
device enrollment and subsequent management
✅ 1. Device Type Restrictions
Purpose:
Control what types of devices (based on platform and ownership) users
can enroll into Intune.
Where it’s Configured:
- Intune
Admin Center → Devices → Enrollment device platform restrictions
Key Settings:
- Allow/block
specific platforms:
- Android
(work profile, personally-owned, dedicated)
- iOS/iPadOS
- macOS
- Windows
(MDM only)
- Linux
(if applicable)
- Blocked
reasons can include:
- Device
type not allowed (e.g., personal Windows devices)
- OS
version requirements (minimum/maximum)
- Android
manufacturer restrictions (block devices from certain vendors)
Use Case Examples:
- Block
personal iOS devices (BYOD) from enrolling.
- Allow
only corporate-owned Android devices.
- Block
macOS devices completely.
✅ 2. Device Limit Restrictions
Purpose:
Limit how many devices a single user can enroll into Intune.
Where it’s Configured:
- Intune
Admin Center → Devices → Enrollment device limit restrictions
Key Settings:
- Set
a maximum number of devices per user (default is 5).
- Applies
across all device types unless separated by group policies.
Use Case Examples:
- Limit
users to enroll up to 2 devices only (e.g., 1 laptop + 1 phone).
- Prevent
service accounts or shared users from enrolling many devices.
Create an enrollment notification:
Set up enrollment notifications in Microsoft Intune to
notify employees of newly enrolled devices. Enrollment notifications are sent
to assigned users via your selected method: email or push notification. Within
a notification, you can:
- Add a
custom message for the user, with information about how to report an
unrecognized device.
- Apply
your tenant's branding and customization settings (email notifications
only).
- Sign
in to the Microsoft
Intune admin center as an Intune
Administrator.
- Go
to Devices > Enrollment.
- Select
the Windows, Apple, or Android tab.
- Choose Enrollment
notifications.
- Apple
and Android notifications are supported on iOS, macOS, Android Enterprise,
and Android device administrator, respectively. Select the tab that
corresponds to the OS you're managing.
Your options for Apple enrollment are:
- iOS/iPadOS
Notifications
- macOS
Notifications
Your options for Android enrollment are:
- Android
Enterprise Notifications
- Android
device administrator Notifications
- Select Create
notifications.
- In Basics,
configure the following settings:
- Name:
Enter a descriptive name for the notification. Name your notifications so
you can easily identify them later.
- Description:
Enter a description for the notification. This setting is optional, but
recommended.
- Select Next.
- In Notification
settings, configure the notification messages.
The options for push notifications are:
- Send
Push Notification: Flip the switch On to enable and
create a push notification.
- Subject:
Enter the subject of the enrollment notification.
- Message:
Enter your message, explaining the purpose of the notification. The
character limit is 2000.
Windows Hello for Business:
Windows Hello for Business settings lets users access their
devices using a gesture, such as biometric authentication, or a PIN.
Create a Windows Hello for Business policy for device
enrollment
- Sign
in to the Microsoft
Intune admin center.
- Go
to Devices > Enrollment.
- In
the Windows tab, under Enrollment options,
select Windows Hello for Business. Wait while the Windows
Hello for Business pane opens.
- Select
from the following options for Configure Windows Hello for
Business:
- Enabled.
Select this setting if you want to configure Windows Hello for Business
settings. When you select Enabled, other settings for Windows
Hello are visible and can be configured for devices.
- Disabled.
If you don't want to enable Windows Hello for Business during device
enrollment, select this option. When disabled, users can't provision
Windows Hello for Business. When set to Disabled, you can
still configure the subsequent settings for Windows Hello for Business
even though this policy won't enable Windows Hello for Business.
- Not
configured. Select this setting if you don't want to use Intune to
control Windows Hello for Business settings. Any existing Windows Hello
for Business settings on Windows 10/11 devices don't change. All other
settings on the pane are unavailable.
🔧 Pre-Requisites
-
You must be Intune Administrator or Global Administrator
-
Have the
Microsoft.Graph.DeviceManagementmodule installed: