How to Add a Corporate Device to Intune Device Management

This is a comprehensive technical guide on how to add a corporate device to Intune device management. As a recap, Microsoft Intune is a well-known comprehensive endpoint manager that allows organizations to manage, assess, and protect their apps and devices. This ability to securely manage corporate devices across distributed environments is especially beneficial for organizations in highly regulated industries, particularly in maintaining compliance with various regulations.

Other key benefits of corporate enrollment into Intune include:

• Centralized device and policy management through Microsoft Endpoint Manager.
• Enforcement of access control using Conditional Access and security baselines.
• Streamlined provisioning and onboarding for efficient IT operations.

📌 Recommended deployment strategies:

How to enroll a corporate device in Intune: Six methods to consider

Method 1: Using Windows Settings (GUI)

📌 Use Cases: Ideal for small deployments or organizations with low automation requirements.

📌 Prerequisites:

• You need an active Azure AD account.
• You must have a supported Microsoft OS.
  • Windows 10/11 (Home, S, Pro, Pro Education, Education, Enterprise, and IoT Enterprise)
  • Windows 10/11 Cloud PCs on Windows 365
• Intune license assigned to the user, such as:
  • Microsoft Intune (standalone)
  • Microsoft 365 E3/E5
  • Microsoft 365 Business Premium
  • Enterprise Mobility + Security (EMS) E3/E5

Steps: 

1. Go to Settings > Accounts > Access work or school.
2. Click Connect.
3. Select Join this device to Azure Active Directory.
4. Sign in with your corporate Azure AD credentials.
5. Device auto-enrolls in Intune.*

* Keep in mind that MDM auto-enrollment only happens if you have an individual Intune license.

💡 Tip: To verify if it worked, go to Settings > Accounts > Access work or school > [Account] > Info.

Method 2: Using the Company Portal app

📌 Use Cases: Recommended for personally deployed corporate devices or for devices with limited admin access to the Settings GUI method.

📌 Prerequisites:

• You must have the Company Portal app installed.
• Make sure you have the proper corporate AAD credentials.

Steps:

1. Download Company Portal from the Microsoft Store.
2. Open and sign in with AAD credentials.
3. Follow the enrollment wizard.
4. Confirm the device appears in MEMAC > Devices. Go to the Microsoft Endpoint Manager admin center (https://endpoint.microsoft.com) and go to Devices. Once here, look for the device listed under the signed-in user’s profile.

Method 3: Using CMD (Basic AAD join and Intune trigger)

While CMD lacks a direct Intune enrollment trigger, it can initiate AAD join and trigger the device provisioning stack.

📌 Use Cases: Recommended for hybrid join setups, scripted deployments with cached creds. It is also good for enrollment troubleshooting.

📌 Prerequisites:

• You must have admin privileges.
• Need to have cached Azure AD credentials.

Steps:

1. Open Command Prompt as an administrator. To do this, locate the Command Prompt application, right-click it, and select Run as administrator.
2. Run this command: dsregcmd.exe /join
3. To verify status, run this command: dsregcmd.exe /status
4. If the device is eligible and AAD credentials are cached, this may initiate the Intune MDM enrollment process automatically.

Method 4: Using PowerShell

📌 Use Cases: Excellent for large-scale deployments and integration into endpoint management tools. It’s also good for endpoint automation.

📌 Prerequisites:

• Requires PowerShell 7+ or higher.
• You must have admin privileges.
• Have an Intune-compatible OS.
• Need a refresher? Sign up for a free crash course, PowerShell for IT Ninjas.

Steps: 

1. Open PowerShell.
2. Execute these commands, as needed:

Confirm if the device supports MDM:

Get-WmiObject -Namespace "root\cimv2\mdm\dmmap" -Class MDM_DevDetail_Ext01

Trigger enrollment:

Start-Process "C:\Windows\System32\DeviceEnroller.exe" -ArgumentList "/c /AutoEnrollMDM" -Verb RunAs

Post-enrollment, validate in Azure AD: 

Get-AzureADDevice -SearchString "<device-name>"

Method 5: Using Group Policy

📌 Use Cases: Ideal for hybrid environments using local AD and Azure AD sync. It may also be useful for domain-based environments or IT teams that prefer hands-off enrollment.

📌 Prerequisites:

• Azure AD Connect must be configured to synchronize your on-premises Active Directory with Azure AD.
• A Service Connection Point (SCP) must be properly set up in Active Directory.
• Devices must be domain-joined and running a supported edition of Windows 10 or 11.
• Group Policy infrastructure must be in place to enable automatic MDM enrollment.

Steps:

1. Click Win + R, type gpedit.msc, and press Enter to open Group Policy.
2. Go to: Computer Configuration > Administrative Templates > Windows Components > MDM
3. Enable Enable automatic MDM enrollment using default Azure AD credentials.
4. Set credential type (Device/User).
5. Close Group Policy.
6. Open an elevated Command Prompt and run gpudate /force to force an update and make sure the changes are applied immediately.
7. The device will enroll at the next login or policy refresh.

Additional considerations in Intune corporate device enrollment

• Corporate identifiers, such as serial numbers or IMEI, can be uploaded to MEM to enforce corporate device ownership classification. These identifiers help Intune recognize the device as corporate-owned during enrollment, ensuring it is automatically placed under corporate management rather than being treated as a personal device. To learn more, read the official guide, Identity devices as corporate-owned.
• Windows Autopilot simplifies corporate enrollment at scale and integrates with existing device vendors, instead of manually imaging and configuring machines before distribution. IT admins can register new devices with Autopilot by uploading hardware hashes or leveraging direct integration with Original Equipment Manufacturers (OEMs).
• Hybrid Azure AD Join devices must be synced with Azure AD Connect and meet SCP configuration requirements. This allows devices to authenticate against both local AD and Azure AD, enabling unified access management and policy enforcement.

💡 Tip: Consider reading these great resources:

• Azure AD Connect: What It Is and How to Configure It
• Integrating On-Premises and Cloud with Hybrid Azure AD Join
• Azure Active Directory vs Active Directory: What’s the Difference?

⚠️ Things to look out for

NinjaOne services: Complementing Intune management

While Microsoft Intune provides a robust foundation for centralized device management, NinjaOne offers complementary capabilities that significantly enhance automation, visibility, and control, especially for managed service providers (MSPs) handling large and hybrid client environments.

Here’s how NinjaOne can support and strengthen your Intune corporate enrollment strategies:

Custom scripting engine

NinjaOne’s powerful scripting framework allows IT admins to deploy and automate Intune enrollment workflows across entire fleets. This can be useful for environments where Group Policy isn’t available or where scripted enrollment is preferred for consistency and scale.

Compliance monitoring

Using NinjaOne’s endpoint management capabilities, MSPs can validate whether devices are properly enrolled in Intune. If a device fails to meet compliance benchmarks, NinjaOne can automatically raise alerts, trigger remediation scripts, or tag the device for follow-up. This ensures that misconfigured (or unenrolled) devices don’t slip through the cracks.

Custom fields and reporting

NinjaOne allows you to define and use custom fields to track: enrollment type (manual, GPO, scripted), device ownership status (corporate or personal), policy compliance status, or enrollment method used (Company Portal, Registry Editor, etc.).

Third-party patching and MDM augmentation

While Intune handles Microsoft patching and some third-party apps, NinjaOne offers strong patching capabilities that cover non-Microsoft software and custom application packages. In addition, NinjaOne serves as a secondary control plane for remote remediation, endpoint backup, and other operational tasks not directly supported or centralized with Intune.

Additional resources:

• Choosing the Right Software Deployment Tool: Intune vs. NinjaOne – A User’s Perspective
• Intune vs RMM: Can Microsoft Intune Replace an RMM?
• NinjaOne vs. Microsoft Intune
• 12 Best Microsoft Intune Alternatives & Competitors

Benefits for MSPs and IT teams

By integrating NinjaOne with your Intune-based workflows, you gain:

• Operational efficiency through automation and scripting
• Improved visibility across multiple client tenants or departments
• Proactive identification of enrollment and compliance gaps.
• Extended control for scenarios where Intune alone may fall short

This dual approach helps standardize onboarding processes, reduces manual effort (and human error), and ensures that every device is properly accounted for and secured.

Thinking of adding a device to Intune?

Corporate enrollment into Microsoft Intune is essential for securing and managing modern endpoints. This guide provides multiple methods to accommodate small-scale manual setups and automated enterprise-wide rollouts.

Related topics:

• How to Deploy Applications Using Microsoft Intune Admin Center
• Automating New Device Setup with NinjaOne
• Onboarding New Devices in Half the Time