🔒 Guided

Pre-launch preview. Authorised access only.

Incorrect code

Guided by A Guide to Cloud
Explore AB-900 AI-901
Guided MD-102 Domain 1
Domain 1 — Module 4 of 7 57%
4 of 27 overall

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization

MD-102 Study Guide

Domain 1: Prepare Infrastructure for Devices

  • Device Identity: Join, Register & Hybrid Free
  • Build the Right Device Groups
  • Intune Enrollment Essentials Free
  • Auto-Enrollment & Bulk Enrollment
  • Intune RBAC & Windows Hello for Business
  • Compliance Policies & Conditional Access
  • Windows LAPS & Local Group Management

Domain 2: Manage and Maintain Devices

  • Windows Autopilot: Choose Your Path Free
  • Autopilot: Device Names, ESP & Rollout
  • Provisioning Packages & Windows 11 Upgrades
  • Windows 365: Your PC in the Cloud
  • Configure Windows Devices with Intune
  • Config Profiles: Android, iOS & macOS
  • Control Admin Rights with EPM
  • Intune Suite: Apps, Analytics & Remote Help
  • Cloud PKI & Tunnel for MAM
  • Remote Actions & Device Queries

Domain 3: Manage Applications

  • App Deployment: Prepare & Package
  • Deploy Apps with Intune & App Stores
  • Microsoft 365 Apps: Deploy, Customize & Manage
  • App Protection Policies & Conditional Access
  • App Configuration: Managed Apps & Managed Devices

Domain 4: Protect Devices

  • Endpoint Security: Antivirus, Firewall & Encryption
  • Attack Surface Reduction & Security Baselines
  • Defender for Endpoint: Integrate & Onboard
  • Plan and Manage Windows Updates
  • Cross-Platform Updates & Delivery Optimization
Domain 1: Prepare Infrastructure for Devices Premium ⏱ ~12 min read

Auto-Enrollment & Bulk Enrollment

Enrolling devices one by one doesn't scale. Learn how auto-enrollment uses Entra ID join to trigger Intune enrollment, and how bulk enrollment handles iOS, Android, and Windows at volume.

Why auto-enrollment?

☕ Simple explanation

Imagine a gym where signing up at the front desk also gives you a locker key — automatically.

That’s auto-enrollment. When a Windows device joins (or registers with) Microsoft Entra ID, it automatically enrolls in Intune too — no extra steps. One action, two outcomes: cloud identity AND device management.

For iOS and Android at scale, bulk enrollment methods skip the one-by-one setup entirely — you configure once, and hundreds of devices enroll themselves when unboxed.

Automatic enrollment for Windows uses the Entra ID join or registration event as a trigger to enroll the device in Intune simultaneously. This is configured via the MDM/MAM settings in Entra ID and requires Entra ID P1 or P2 (included in Microsoft 365 E3/E5 and EMS E3/E5).

For iOS/iPadOS, bulk enrollment uses Apple Business Manager (ABM) with Automated Device Enrollment (ADE, formerly DEP). For Android, enrollment profiles define corporate management levels from fully managed to work profile.

Windows auto-enrollment

Sam at Tui Solutions wants every Windows device to enroll in Intune the moment it joins Entra ID. Here’s how:

Setup (3 steps)

  1. Entra admin center → Mobility (MDM and MAM) → Microsoft Intune
  2. Set MDM user scope to “All” (or a specific group)
  3. Optionally set MAM user scope for app-level management of unmanaged devices
Scope SettingWhat It Does
MDM user scope = AllEvery user’s device auto-enrolls when Entra Joined or Hybrid Joined
MDM user scope = SomeOnly devices belonging to users in the selected group auto-enroll
MDM user scope = NoneNo auto-enrollment (manual enrollment only)
MAM user scopeEnables app protection without full device enrollment (for registered/BYOD devices)

What triggers auto-enrollment?

ActionResult
Entra Join (Windows OOBE or Settings)Device auto-enrolls in Intune MDM
Hybrid Join (via Entra Connect + GPO)Device auto-enrolls via GPO trigger or Entra Connect
Entra Registration (personal device)Auto-enrolls in MAM only (if MAM scope configured)
Windows AutopilotUses auto-enrollment as part of the provisioning flow
💡 Exam tip: MDM scope vs MAM scope

The exam tests whether you know the difference:

  • MDM scope = full device management (Entra Joined or Hybrid Joined devices)
  • MAM scope = app-level management only (Entra Registered / BYOD devices)

If a user’s device is Entra Joined and the MDM scope is set to “All,” the device automatically enrolls for full management. If a personal device is Entra Registered and only MAM scope is set, only app protection policies apply — Intune doesn’t manage the device itself.

Licence requirement: Entra ID P1 or P2 is required for auto-enrollment. This is included in M365 E3/E5 but NOT in M365 Business Basic.

iOS/iPadOS bulk enrollment

For corporate-owned iPhones and iPads, Apple provides Automated Device Enrollment (ADE) through Apple Business Manager (ABM).

How it works

  1. Apple Business Manager — your org registers with Apple and gets an ABM account
  2. Link ABM to Intune — download a token from ABM, upload it to Intune
  3. Assign devices to Intune — when you purchase devices through Apple or authorised resellers, serial numbers appear in ABM
  4. Create an enrollment profile — define settings (supervised mode, skip setup screens, etc.)
  5. User unboxes the device — it connects to Wi-Fi, contacts Apple, gets redirected to Intune, and enrolls automatically
ABM FeatureWhat It Does
Supervised modeGives full management control — required for many enterprise restrictions
Skip Setup Assistant screensUsers skip Apple ID, location, Siri, etc. during setup
Assign to Intune MDM serverDevices automatically point to your Intune tenant
User affinityOptional: associate the device with a specific user (for personal corporate devices)

Key exam concept: ADE devices are supervised by default, giving admins the deepest level of control. This is different from user-enrolled iOS devices, which have limited management.

Android enrollment profiles

Android has the most enrollment options because Google offers different management levels. Sam needs to understand all four for Tui Solutions’ mixed Android fleet.

FeatureFully ManagedDedicatedCorporate Work ProfilePersonal Work Profile
Device ownershipCorporateCorporate (shared)CorporatePersonal (BYOD)
User affinityYes (one user)No (shared)Yes (one user)Yes (one user)
Admin control levelFull deviceFull device (kiosk/signage)Work profile + device-levelWork profile only
Personal apps allowedAdmin decidesNo (single-purpose)Yes, in personal profileYes (device owner controls)
Enrollment methodQR code, NFC, token, zero-touchQR code, NFC, token, zero-touchQR code, NFC, token, zero-touchCompany Portal app
Best forCorporate-only phones/tabletsKiosks, shared tablets, digital signsCorporate phone where user also has personal appsEmployee's own phone accessing work email
Factory reset requiredYesYesYesNo

Android enrollment setup

  1. Connect to Managed Google Play — link your Intune tenant to Google’s enterprise service
  2. Create enrollment profiles — one per management type (fully managed, dedicated, etc.)
  3. Generate enrollment tokens — QR codes or NFC tags for corporate devices
  4. For BYOD — users install Company Portal from Google Play and sign in
ℹ️ Deep dive: Android zero-touch enrollment

Zero-touch enrollment is Google’s equivalent of Apple’s ADE. Devices purchased from participating resellers are pre-registered with your Intune tenant. When a user turns on the device, it automatically configures itself without any manual steps.

Requirements:

  • Device must be purchased from a zero-touch reseller
  • Device must run Android 9.0 or later
  • Intune tenant must be linked to Managed Google Play

This is the most seamless Android enrollment method for corporate devices. Samsung also offers Samsung Knox Mobile Enrollment (KME) — a similar OEM-specific alternative that works with Samsung devices running Knox 2.8+.

Bulk enrollment for Windows

For Windows devices that can’t use Autopilot (e.g., no internet during setup), provisioning packages offer offline bulk enrollment:

  1. Use Windows Configuration Designer (WCD) to create a .ppkg file
  2. Include Entra join settings, Intune enrollment, Wi-Fi config, and apps
  3. Apply the package via USB or network share during OOBE
  4. Devices join Entra ID and enroll in Intune without internet (settings apply when connected)

We’ll cover provisioning packages in detail in Module 10.

🎬 Video walkthrough

🎬 Video coming soon

Auto-Enrollment & Bulk Enrollment — MD-102 Module 4

Auto-Enrollment & Bulk Enrollment — MD-102 Module 4

~12 min

Flashcards

Question

What triggers Windows auto-enrollment in Intune?

Click or press Enter to reveal answer

Answer

An Entra ID join or registration event. When a device joins (or registers with) Entra ID and the MDM user scope is configured, Intune enrollment happens automatically. Requires Entra ID P1 or P2.

Click to flip back
Question

What is Apple Automated Device Enrollment (ADE)?

Click or press Enter to reveal answer

Answer

Apple's bulk enrollment method via Apple Business Manager. Corporate iOS/iPadOS devices are pre-assigned to Intune. When unboxed, they auto-enroll in supervised mode. Formerly called DEP (Device Enrollment Program).

Click to flip back
Question

Name the four Android enrollment types in Intune.

Click or press Enter to reveal answer

Answer

1. Fully Managed (corporate, full control) 2. Dedicated (shared/kiosk devices) 3. Corporate-Owned Work Profile (corporate phone, work + personal profiles) 4. Personal Work Profile (BYOD, work profile only)

Click to flip back
Question

What's the difference between MDM scope and MAM scope in Entra auto-enrollment?

Click or press Enter to reveal answer

Answer

MDM scope = full device management for Entra Joined/Hybrid Joined devices. MAM scope = app-level management only for Entra Registered (BYOD) devices. Both are configured in Entra ID under Mobility settings.

Click to flip back

Knowledge Check

Knowledge Check

Sam configures auto-enrollment with MDM user scope set to 'All.' A user joins their corporate laptop to Entra ID. What happens next?
Knowledge Check

Riko at Pixel & Co needs to set up 20 new corporate-owned iPads for the design team. The iPads were purchased through an Apple authorised reseller. What's the most efficient enrollment method?
Knowledge Check

A company needs kiosk tablets in their retail stores that display a single inventory app. No user signs in — the tablets are shared. Which Android enrollment type is correct?

Next up: Intune RBAC & Windows Hello for Business — controlling who can do what in Intune, and going passwordless.

← Previous

Intune Enrollment Essentials

Next →

Intune RBAC & Windows Hello for Business

Guided

I learn, I simplify, I share.

A Guide to Cloud YouTube Feedback

© 2026 Sutheesh. All rights reserved.

Guided is an independent study resource and is not affiliated with, endorsed by, or officially connected to Microsoft. Microsoft, Azure, and related trademarks are property of Microsoft Corporation. Always verify information against Microsoft Learn.