How to Enrol a Windows 11 Device in Microsoft Intune
Step-by-step guide to enrolling a Windows 11 PC in Microsoft Intune for device management, compliance policies, and app deployment.
Overview
Microsoft Intune is the cloud-based device management platform included with Microsoft 365 Business Premium and Enterprise E3/E5 licences. Enrolling a Windows 11 device in Intune lets you push security policies, deploy applications, enforce BitLocker encryption, and monitor compliance — all without touching the machine physically.
This guide covers the three most common enrolment methods and when to use each.
Prerequisites
- A Microsoft 365 licence that includes Intune (Business Premium, E3, E5, or standalone Intune Plan 1)
- Microsoft Entra joined or Microsoft Entra hybrid joined device (or willingness to join during enrolment)
- The device running Windows 11 Pro, Enterprise, or Education (Home edition does not support Intune)
- Global Admin or Intune Admin role to configure enrolment settings
Method 1: User-Driven Enrolment (Settings App)
Best for: BYOD scenarios or small teams where users enrol their own devices.
Step 1 — Open Windows Settings
- Press Win + I to open Settings
- Navigate to Accounts > Access work or school
- Click Connect
Step 2 — Sign in with a work account
- Enter the user's Microsoft 365 email address
- Authenticate with MFA if prompted
- Windows will detect the Intune enrolment URL automatically via Microsoft Entra ID
Step 3 — Accept management
- The user will see a prompt explaining what the organisation can and cannot see on their device
- Click Connect to accept and begin enrolment
- Wait for the "You're all set!" confirmation
Step 4 — Verify enrolment
Open Settings > Accounts > Access work or school and confirm the work account shows "Connected to [Organisation] MDM".
You can also verify from the Intune admin centre at intune.microsoft.com:
- Go to Devices > All devices
- Search for the device name
- Confirm the compliance state shows "Compliant" or "Pending"
Method 2: Windows Autopilot
Best for: New devices or reimaged machines. The device enrols automatically on first boot with no IT intervention required on-site.
Microsoft now offers Windows Autopilot device preparation, a simplified version of Autopilot that requires less pre-configuration and no hardware hash registration. It is ideal for new deployments. The classic Autopilot workflow described below remains fully supported for existing environments.
Step 1 — Register the device hardware hash
Get the hardware hash from the device (or have your hardware vendor pre-register it):
# Run on the device (or during OOBE via Shift+F10)
Install-Script -Name Get-WindowsAutopilotInfo -Force
Get-WindowsAutopilotInfo -OutputFile C:\autopilot.csv
Upload the CSV to Intune at intune.microsoft.com:
- Go to Devices > Enrol devices > Windows enrolment > Devices
- Click Import and upload the CSV
Alternatively, you can upload hardware hashes directly in the Intune portal without using the PowerShell script. Navigate to Devices > Enrol devices > Windows enrolment > Devices and use the Add option to upload hashes through the portal interface.
Step 2 — Create an Autopilot deployment profile
- Go to Devices > Enrol devices > Deployment profiles
- Click Create profile > Windows PC
- Configure:
- Deployment mode: User-Driven
- Join type: Microsoft Entra joined
- OOBE settings: Hide privacy settings, EULA, and account change options
- Assign the profile to a device group
Step 3 — User powers on the device
- The device connects to the internet at OOBE
- The user enters their Microsoft 365 credentials
- Autopilot applies the profile, installs apps, and enforces policies automatically
Order devices with the Autopilot hardware hash pre-registered by the manufacturer (Dell, HP, and Lenovo all support this). This eliminates the need to manually extract hashes.
Method 3: Group Policy Auto-Enrolment (Hybrid Join)
Best for: Organisations with on-premises Active Directory that want to manage existing domain-joined devices via Intune without re-imaging.
Step 1 — Configure Microsoft Entra Connect
Ensure Microsoft Entra Connect (formerly Azure AD Connect) is configured for Microsoft Entra hybrid join. Devices must appear in both on-premises AD and Microsoft Entra ID. For new deployments, consider Microsoft Entra Cloud Sync as the preferred synchronisation tool.
Step 2 — Enable auto-enrolment in Entra
- Go to Microsoft Entra admin center (entra.microsoft.com) > Identity > Mobility (MDM and MAM) > Microsoft Intune
- Set MDM user scope to All or a specific group
- Leave the default MDM and MAM URLs
Step 3 — Create a Group Policy
- Open Group Policy Management Console
- Create a new GPO linked to the OU containing target devices
- Navigate to: Computer Configuration > Administrative Templates > Windows Components > MDM
- Enable Enable automatic MDM enrolment using default Microsoft Entra credentials
- Set the credential type to User Credential
Step 4 — Wait for policy application
Devices will auto-enrol at the next Group Policy refresh (or force it with gpupdate /force). Enrolment may take up to 8 hours after the GPO applies.
Post-Enrolment Checklist
Once the device is enrolled, configure these baseline policies:
| Policy | Purpose |
|---|---|
| Compliance policy | Define what "compliant" means (OS version, encryption, antivirus) |
| Device configuration profile | Push Wi-Fi, VPN, and security settings |
| BitLocker encryption | Require encryption and back up recovery keys to Microsoft Entra ID |
| Microsoft Defender for Business / Endpoint | Enable endpoint detection and response (EDR) and threat protection |
| Windows Update ring | Control when and how updates are installed |
| App deployment | Push required apps (Office, company LOB apps, security tools) |
| Conditional Access | Block non-compliant devices from accessing company resources |
Troubleshooting
| Issue | Cause | Fix |
|---|---|---|
| "This device is already enrolled" | Previous enrolment not cleaned up | Run dsregcmd /leave then re-enrol |
| Enrolment fails with 0x80180014 | Device limit reached | Increase the device limit in Intune or remove stale devices |
| Autopilot shows "Something went wrong" | Hardware hash not registered or profile not assigned | Verify the device appears in Autopilot devices and has a profile assigned |
| Compliance shows "Not evaluated" | Compliance policy not assigned | Assign a compliance policy to the device group |
| Apps not installing | Intune Management Extension not running | Restart the "Microsoft Intune Management Extension" service |
Windows 11 Home does not support Intune enrolment. If a user has a Home edition device, it must be upgraded to Pro before it can be managed.
Next Steps
- Configure Conditional Access policies to block non-compliant devices from email and SharePoint
- Set up BitLocker encryption with Microsoft Entra ID key backup
- Create app protection policies for BYOD scenarios where full enrolment is not appropriate
Related Articles
Was this article helpful?