Intune Enrollment Essentials
Before devices can receive policies and apps, they need to enroll in Microsoft Intune. Learn how to configure enrollment settings, restrictions, and the device limit.
What is device enrollment?
Think of enrollment like checking into a hotel.
You arrive (the device connects), you show your ID at reception (the device authenticates with Entra ID), and you get your room key and hotel rules (Intune pushes policies and apps). Until you check in, the hotel canβt give you anything β and until a device enrolls in Intune, you canβt manage it.
As the admin, you control who can check in (enrollment restrictions), how many rooms each guest gets (device limits), and whatβs waiting in the room (default policies).
Enrollment settings you need to know
Aroha at CloudForge is setting up Intune for the first time. Her 30-person startup has Windows laptops and a mix of personal phones. She needs to configure enrollment before anyone can start.
Device platform restrictions
Enrollment restrictions control which platforms can enroll and what versions are required:
| Setting | What It Controls | Example |
|---|---|---|
| Platform restrictions | Which OS types can enroll | Block Android personally-owned, allow corporate Android |
| Device type restrictions | Allow or block specific platforms | Allow Windows and iOS, block macOS |
| OS version limits | Minimum/maximum OS version | Require Windows 11 22H2 or later |
| Device limit restrictions | Max devices per user | Default is 5 devices per user |
| Corporate device identifiers | Pre-declare corporate devices by serial/IMEI | Upload a CSV of serial numbers to mark devices as corporate before enrollment |
Priority order
Enrollment restrictions use a priority system. Each restriction policy has a priority number β lower number = higher priority.
- Default policy (priority 999, lowest) applies to everyone
- Custom policies can target specific groups with higher priority
- First matching policy wins β Intune evaluates from highest priority (lowest number) down
Example: Aroha creates a custom restriction blocking personal Android devices (priority 1, targeted at βAll Usersβ). She also has the default policy allowing all platforms (priority 999). The custom policy wins because it has higher priority.
Exam tip: enrollment restrictions vs compliance policies
Donβt confuse these two concepts:
- Enrollment restrictions = gatekeeping. They decide whether a device CAN enroll at all. A blocked device never gets into Intune.
- Compliance policies = standards. They check enrolled devices against rules (minimum OS, encryption, password). A non-compliant device is enrolled but flagged.
If the exam asks βhow do you prevent personally-owned Android devices from accessing company resources?β β the answer could be either, depending on context:
- Block at enrollment β enrollment restriction (device never enrolls)
- Block at access β compliance policy + conditional access (device enrolls but canβt access resources until compliant)
The enrollment flow
What happens when a device enrolls? Hereβs the step-by-step:
- User initiates enrollment β via Company Portal app, Windows OOBE, Settings, or Autopilot
- Authentication β user signs in with Entra ID credentials
- Platform check β Intune checks enrollment restrictions (is this platform allowed? is this OS version OK?)
- Device limit check β has this user exceeded their device limit?
- Management profile installed β Intuneβs MDM profile is pushed to the device
- Device object created β a device record appears in both Entra ID and Intune admin center
- Policies and apps deploy β compliance, config profiles, and assigned apps begin syncing
Where enrollment is configured
| Setting | Location |
|---|---|
| Enrollment restrictions | Intune admin center β Devices β Enrollment β Device platform restriction |
| Device limit | Intune admin center β Devices β Enrollment β Device limit restriction |
| Corporate identifiers | Intune admin center β Devices β Enrollment β Corporate device identifiers |
| Terms and conditions | Intune admin center β Tenant administration β Terms and conditions |
| Enrollment status page (ESP) | Intune admin center β Devices β Enrollment β Windows enrollment β Enrollment Status Page |
Deep dive: terms and conditions
You can require users to accept Terms and Conditions before enrolling. This is a legal requirement in many organisations β users must acknowledge that:
- The company can see device inventory information
- The company can push policies and apps
- The company can remotely wipe the device (for corporate devices)
Terms and conditions are created in the Intune admin center and assigned to groups. Users see them during enrollment and must accept before proceeding.
Aroha sets up T&Cs for CloudForge that explain: βWe can see your device name, OS version, and installed apps. We cannot see your personal photos, texts, or browsing history.β
Device limit restrictions
By default, each user can enroll up to 15 devices in Intune. Admins can change this:
| Limit | When To Use |
|---|---|
| 5 | Standard users who have a laptop + phone |
| 10 | Power users or shared device scenarios |
| 15 (default) | Microsoftβs default β generous for most orgs |
| Unlimited | Not recommended β hard to track device sprawl |
Chen Wei at Meridian Bank sets the limit to 5 for standard users and 10 for the IT team who test on multiple devices.
π¬ Video walkthrough
π¬ Video coming soon
Intune Enrollment Essentials β MD-102 Module 3
Intune Enrollment Essentials β MD-102 Module 3
~11 minFlashcards
Knowledge Check
Aroha wants to allow Windows and iOS enrollment at CloudForge but block all personally-owned Android devices. What should she configure?
A user at CloudForge tries to enroll their sixth device but gets an error. Aroha set the device limit to 5. The user has 5 devices enrolled but retired one last week. What's the issue?
Next up: Auto-Enrollment & Bulk Enrollment β scaling enrollment for hundreds of Windows, iOS, and Android devices.