¶ Windows Enrollment
MEM Portal Link:- Enroll devices - Microsoft Endpoint Manager admin center
¶ Best Practices
- MDM User Scope set to
All, MAM User Scope set toNone - Windows Hello for Business set to
Not Configured - ESP configured to target an appropriate user group (E.g. All Autopilot Devices), leave Default ESP set to
No
¶ General Configuration Options
Automatic Enrollment is the same setting as going to the Mobility (MDM and MAM) page of Azure Active Directory, and contains two main options:
-
MDM User Scope
The MDM user scope is one of the key settings to allow users to be able to enroll devices into Intune, the other being an active Intune license. Under most cases, can safely be set toAll -
MAM User Scope
99.9% of the time should be set toNone. Only used if
This option allows you to set tenant-wide configuration for Windows Hello for Business for All Users
As the settings impact every user, it's recommended to instead configure a policy via Endpoint Security > Account Protection as these can be more granularly targeted to user groups.
The CNAME Validation option is purely a mini DNS checker that looks for the existence of CNAME records of EnterprideEnrollment.companydomain.com and EnterpriseRegistration.companydomain.com within DNS.
While most people configure this, it is optional not actually required under most circumstances, only being necessary where a tenant does not have AAD P1/P2, or you are getting users to register manually (not recommended). More info.
This new preview feature enables configuration of notifications to inform users that a device has been registered to them.
Set up enrollment notifications in Intune - Microsoft Intune | Microsoft Learn
If implementing Co-Management with ConfigMgr, these settings enable you to automatically deploy the ConfigMgr agent during Autopilot.
Requires the configuration of tenant attach and deployment of a Cloud Management Gateway (CMG).
Cloud connecting with co-management - Configuration Manager | Microsoft Learn