Home / Blog

Intune Device Enrollment Checklist for New Starters

A new starter can lose half a day to one missed configuration assignment.

When Intune device enrollment works, the user signs in once and receives all their necessary apps, policies, and access with little fuss. This seamless experience is the hallmark of effective endpoint management. However, when the process fails, you often face a cascade of support tickets regarding MFA, Office 365, Exchange Online, Wi-Fi, Outlook, and Conditional Access. Because Microsoft Intune serves as the core platform for these deployments, the fix is rarely found in a single setting. It is usually the result of three small, interconnected configurations.

Treat onboarding like a sequence of checks rather than a single task, and you will find that the entire process becomes much easier to manage.

Key Takeaways

  • Prioritize Identity and Licensing: Ensure users have the correct UPN, usage location, and active Intune licenses assigned before a device is deployed to avoid immediate sign-in failures.
  • Standardize with Windows Autopilot: Utilize Autopilot to streamline corporate Windows deployments, ensuring hardware is registered and assigned to the correct groups before shipping.
  • Systematize the Onboarding Process: Treat enrollment as a sequence of dependencies rather than a single task, verifying that identity, group membership, security policies, and app assignments are fully staged.
  • Validate Beyond the Desktop: A successful login is not the finish line; ensure the device reaches a compliant state and that essential business apps and Conditional Access policies function correctly.

Set up identity and licensing before the device ever arrives

Start with the user object, not the laptop. The account needs the right UPN, usage location, and the correct Microsoft Intune licenses assigned before the first sign-in. If the user does not have a license that includes Intune, the Company Portal app sign-in will fail and the rest of the workflow stops there. Before beginning, ensure your MDM authority is correctly set to Microsoft Intune in your tenant settings, as this is the foundational prerequisite for all device management.

Most teams cover this with Microsoft 365 E3 or E5, although standalone Microsoft Intune licenses also work. If your tenant still uses older Azure naming in scripts or documentation, clean that up now so the handover between Microsoft Entra ID and Microsoft 365 settings does not confuse the service desk.

Group membership is the next gate. Add the user to the Microsoft Entra ID groups that drive baseline configuration, required apps, compliance policies, and any Conditional Access exclusions for day-one access. If you use a short grace period for new hires, tie it to the employeehiredate attribute and remove the exclusion automatically after a few days. That is cleaner than making broad MFA exceptions.

Microsoft’s device enrollment guide is still the best reference for core prerequisites, and the Intune deployment setup steps are useful when you want to trace the whole dependency chain.

MFA needs special attention for new starters. A Temporary Access Pass is the safer path for first login because it gets users through initial authentication without weakening your normal MFA policy. If you skip this and rely on ad hoc exceptions, you often create short-term access that becomes long-term drift.

Enrollment restrictions also deserve a pre-check. If you only want corporate Windows devices in Intune, block personal Windows enrollment. If you allow BYOD mobile devices, be clear where device enrollment ends and app protection begins.

Finally, look at the user-facing side. The Company Portal app should have your support URL, privacy statement, and company branding. Hide the enroll device prompt for Autopilot and Apple ADE groups so users do not try to re-enroll a device that is already managed. If the mailbox is in Exchange Online, create it before handover, or Outlook setup becomes the first visible failure.

Build the Windows onboarding path around Windows Autopilot

For corporate Windows devices, Windows Autopilot is still the cleanest route. Register the hardware hash, assign the correct deployment profile, and check that the device lands in the right group before you ship it. If the profile targets the wrong group, everything after that becomes guesswork.

For most new builds, being Entra ID joined is the simplest option. It avoids many Hybrid Join headaches and pairs well with cloud-first access. If users still need on-premises resources, Cloud Kerberos fills the gap better than dragging every new device back into older join patterns.

The Windows enrollment guide for Intune outlines the supported paths, but the practical rule is simple: keep the first sign-in path short and predictable.

A sleek laptop sits next to a modern smartphone on a clean, professional desk. The workspace features soft blue accents and minimalist design elements intended to visualize a streamlined digital onboarding process.

Windows Autopilot readiness is not only about importing the device. Check the Enrollment Status Page and your device preparation policies as well. Too many required apps during the Enrollment Status Page still causes avoidable failures. A good baseline is one or two core apps during provisioning, then let the rest arrive after the desktop appears. That usually means Microsoft 365 Apps, security tooling, and Company Portal first, while larger line-of-business apps install later.

App assignments matter as much as profiles. Company Portal should be assigned as Required where you expect self-service access or remediation. Core apps should go to the right device or user groups, and the assignment method must match the scenario. A device-targeted assignment for a shared build behaves differently from a user-targeted assignment for a named employee.

Profile readiness comes next. Before the laptop leaves IT, confirm that the user or device will receive Wi-Fi, VPN, certificates, BitLocker settings, Defender settings, and any Exchange Online mail profile or app configuration you expect on day one. By ensuring your configuration policies are correctly scoped, you avoid the circular problem where Office 365 access depends on a VPN profile that arrives after compliance.

A short internal handover note also helps. Tell the user what to expect at first boot, what MFA method they will use, and when apps may continue to appear after sign-in. That small step saves more tickets than most admins expect.

Validate the first sign-in like a runbook

A successful first login is not proof that enrollment finished properly. The real test is whether identity, management, security, and access all line up in the right order.

Use this quick validation set after the device reaches the desktop:

CheckPass resultCommon failure
First sign-in and MFAUser completes sign-in with TAP or registered MFA methodUsage location, license, or MFA setup is missing
Entra join statusDevice shows as Entra joined and owned by the right userWrong Autopilot profile or stale device record
Company Portal accessUser can open Company Portal and see assigned appsIntune license missing or portal hidden for wrong group
Configuration profilesWi-Fi, VPN, certificates, BitLocker, and security settings applyAssignment filter, scope tag, or conflict blocks delivery
Compliance policiesDevice becomes compliant within expected timeEncryption, AV, OS version, or Secure Boot check fails
Conditional AccessManaged device gets access to Microsoft 365 appsPolicy order or grant controls are too strict
Exchange Online and appsOutlook, Teams, and other Office365 apps sign in normallyMailbox not ready, app config missing, or CA blocks legacy flow

The main takeaway is simple. Don’t stop at “the user got to the desktop.” Stop when the device is compliant and business apps work.

If Conditional Access requires a compliant device, test both paths. A compliant laptop should pass, and an unmanaged test device should fail.

This is also where most common mistakes show up. The wrong assignment type is a big one. Another is shipping a device before Autopilot sync completes. Stale records can cause duplicate objects, odd compliance results, or the wrong primary user. Conflicting configuration profiles create equally messy symptoms, especially when security baselines overlap with custom settings.

When troubleshooting, compare the device record in Intune and Entra ID first. Check join type, primary user, ownership, compliance state, and last check-in time. Then review app and profile assignments before you blame the device. If you still run Hybrid Join and Autopilot stalls, automatic enrollment through Group Policy with user credentials can be a useful fallback while you fix the underlying join issue. If you are managing devices transitioning toward cloud native, keep an eye on co-management workloads that might conflict with your new enrollment policies.

For MSPs, build this into a repeatable service desk runbook. Implementing robust Mobile Device Management standards is vital, and if remote support is part of your stack, the TeamViewer integration in Microsoft Intune can shorten the time from failed login to live remediation.

Mastering Mobile Device Management for iOS and Android

While the overarching enrollment philosophy remains consistent, your Mobile Device Management strategy must adapt to the specific requirements of each platform.

For iPhone, iPad, and macOS corporate-owned devices, Apple Automated Device Enrollment is the gold standard. To ensure a seamless iOS enrollment process, your Apple MDM push certificate and Volume Purchase Program token must be fully updated before the hardware reaches the end user. Although Microsoft has refined the authentication flow for Apple devices, the core requirement remains: corporate assets should always utilize automated enrollment rather than relying on manual, user-driven enrollment prompts.

Macs also require specific configuration and compliance checks. Elements like FileVault, digital certificates, Wi-Fi profiles, VPN configurations, and Company Portal access should be staged in advance. If your policy allows users to perform their own setup for Macs, ensure your instructional guides remain short and technically accurate.

When deploying Android, you should utilize Android Enterprise, selecting either fully managed modes for corporate-owned devices or work profiles for BYOD scenarios. Many IT teams accidentally over-manage BYOD endpoints. If your goal is simply to secure company data within applications like Outlook, Teams, or OneDrive, then app protection policies are often a more efficient, less intrusive solution than full device enrollment.

Transparency remains vital for mobile success. Clear privacy messaging is essential, as users are more likely to accept management when the Company Portal explicitly explains what IT can and cannot see. This level of clarity is just as important for maintaining secure Exchange Online mobile access as it is for establishing overall device trust.

Quick checklist for each new starter

  • Verify the user account has the correct UPN, usage location, and active Microsoft Intune licenses.
  • Confirm the user is in the appropriate Entra ID groups to trigger automatic assignments for apps, compliance policies, and Conditional Access.
  • Ensure a Temporary Access Pass or an approved MFA method is configured before the initial sign-in.
  • Review enrollment restrictions to verify they match the intended ownership model for Windows, macOS, iOS, or Android devices.
  • Confirm the hardware is registered for Windows Autopilot and assigned the correct deployment profile.
  • For bulk deployments, evaluate if using a Device Enrollment Manager account is appropriate for managing multiple devices.
  • If Windows Autopilot is not feasible, consider using a provisioning package to streamline offline or non-cloud native setups.
  • Ensure the Company Portal is available where required and hidden on devices where automated enrollment handles setup.
  • Verify that configuration profiles for Wi-Fi, VPN, certificates, disk encryption, and general security are assigned to the target device groups.
  • Confirm compliance policies are active and correctly mapped to the relevant platform groups to ensure device health.
  • Assign all required software, including Microsoft 365 apps, security tools, and essential line-of-business applications.
  • Test Conditional Access workflows to confirm they function as expected for both compliant and non-compliant scenarios.
  • Verify that Exchange Online mailboxes and Office 365 app access are fully provisioned before the device handover.
  • Provide the service desk with a concise runbook covering manual sync triggers, password resets, hardware reassignment, and troubleshooting failed enrollment checks.

Frequently Asked Questions

Why does my new starter encounter errors during the Company Portal sign-in process?

Most sign-in failures are caused by missing licenses or incorrectly configured user attributes like usage location. Verify that the user has an assigned Intune license and that your MDM authority is set correctly in the tenant settings before troubleshooting further.

Should I use MFA or a Temporary Access Pass for the first login?

A Temporary Access Pass (TAP) is the recommended best practice for initial setup. It allows users to authenticate securely without needing to bypass MFA policies, which helps avoid creating security drift or permanent authentication exceptions.

How many applications should I push during the Enrollment Status Page (ESP)?

Keep the initial app count during ESP to a minimum, typically just the core essentials like Microsoft 365 apps and security tooling. Installing too many line-of-business applications at this stage often leads to avoidable provisioning failures and slow initial setup times.

When should I use App Protection Policies instead of full device enrollment?

App Protection Policies are often the most efficient choice for BYOD or mobile scenarios where you only need to secure company data within specific apps. This approach provides necessary security for tools like Outlook and Teams without the privacy concerns and intrusiveness of taking full management control over a user’s personal device.

A clean first login saves hours later

One missed assignment can still derail the entire onboarding chain, but the pattern is predictable. When identity, licensing, enrollment method, policy delivery, and Conditional Access line up perfectly, the management process becomes routine instead of noisy.

The strongest habit is also the simplest one. Test the same first-day workflow every time you change groups, policies, or app assignments. When the new starter opens the lid, signs in, and starts work, the checklist did its job. By following this systematic approach, you ensure that Microsoft Intune serves as a reliable, unified solution that keeps your device environment stable and secure from the very first login.

← Back to all posts Book a free assessment