In-Depth Configuration of Enrollment Scopes for Microsoft Intune
Proper device enrollment ensures your organization balances security and user experience. Microsoft Intune lets you define two enrollment scopes for Windows 10 and 11 devices—MDM User Scope and WIP User Scope. Understanding how they differ and interact is crucial for supporting both corporate-owned machines and personal (BYOD) devices.
1. Understanding Enrollment Scopes
MDM User Scope
MDM enrollment gives Intune full control over a device. Use this for company-owned hardware where you need comprehensive management.
- Automatic Enrollment
When users sign in to a Windows device joined to Microsoft Entra ID, Intune enrolls the device automatically. - Configuration Management
Push settings like BitLocker encryption, Wi-Fi profiles, VPN connections, and Windows Update rings. - Compliance Policies
Enforce policies (e.g., requiring antivirus or OS updates) and block non-compliant devices. - App Deployment
Install apps, updates, and patches silently in the background. - Remote Actions
From the Intune console, you can wipe, retire, lock, or reset a device. - Zero-Touch Provisioning
Combine with Windows Autopilot to deliver a fully configured device straight to users.
WIP User Scope
Windows Information Protection (WIP) protects corporate data on a device without taking full management control. Ideal for BYOD situations.
- Data Protection Only
Encrypt and restrict corporate data in apps. Users can’t copy, save, or share protected data to unmanaged locations. - App-Level Controls
Apply protection policies per application—Outlook, Word, Teams—while leaving personal apps unaffected. - Device Registration
Devices register with Entra ID, confirming identity, but aren’t MDM-enrolled. - Privacy-Friendly
Users keep full control over personal files and apps. IT only sees and manages corporate data. - No Device Wipe
If needed, IT can selectively remove corporate data without wiping personal content.
2. How Scopes Interact
When both MDM and WIP scopes are enabled for a user, device ownership determines which scope applies:
- Corporate-Owned Devices
- MDM + WIP enabled → MDM enrollment overrides. Device receives full Intune management including WIP protections.
- MDM only → Full management.
- WIP only → Treated like BYOD: only data protection.
- Personal (BYOD) Devices
- MDM + WIP enabled → WIP takes precedence. Device is registered and protected, not fully managed.
- WIP only → Data protection only.
- MDM only → Device enrolls only if the user manually initiates enrollment. No auto-enrollment.
This precedence ensures corporate devices get full management while personal devices maintain privacy with data safeguards.
3. Preparing Your Environment
Before you configure scopes:
- Verify Licensing
Ensure each user has an Intune license or an equivalent bundle (e.g., Microsoft 365 E3/E5). - Grant Permissions
In Entra Admin Center under Devices → Device Settings, confirm “Users may join devices to Microsoft Entra ID” is On. - Time Synchronization
Use NTP or domain time services to keep device clocks accurate and avoid authentication failures. - Network Access
Devices need internet connectivity to reach Intune endpoints. Consider VPN split-tunneling for remote users.
4. Step-by-Step Configuration
A. Configure in Microsoft Intune Portal
- Sign in to Microsoft Intune admin center.
- Select Devices > Windows > Enrollment > Automatic Enrollment.
- Under MDM user scope, choose:
- None: No automatic enrollment
- Some: Select specific Azure AD security groups
- All: Every eligible user auto-enrolls
- Under WIP user scope, choose similarly:
- None
- Some
- All
- Click Save.
B. Sync Settings in Entra ID
- Open Microsoft Entra admin center.
- Go to Identity > External Identities > Settings > Mobility (MDM and MAM).
- Under Microsoft Intune, select Manage MDM user scope and Manage WIP user scope.
- Match the scope settings you set in the Intune portal.
- Click Save.
5. Best Practices for Enrollment Scopes
- Start Small
Pilot with a limited set of users or devices. Use “Some” scope and test thoroughly. - Use Security Groups
Target specific departments or device types by grouping users in Azure AD. - Document Scope Policies
Keep detailed records of which groups have MDM or WIP enabled and why. - Review Regularly
Quarterly audits catch changes in workforce or device ownership. - Combine with Conditional Access
Gate access based on device compliance, location, or user risk to tighten security.
6. Monitoring and Troubleshooting
- Enrollment Status Reports
In Intune, check reports for enrollment success, failures, and errors. - Device Compliance Reports
Track compliance rates and take action on non-compliant devices. - User Feedback Loop
Provide clear instructions to help users understand when a device is auto-enrolled or only data-protected. - Log Collection
Use built-in Windows diagnostic logs (MDMDiagnosticReport) to troubleshoot enrollment issues.
By carefully configuring MDM and WIP scopes, you’ll provide robust management for corporate devices and respectful data protection for personal devices. This ensures strong security without sacrificing user privacy or productivity.
