Browser limitation detected

Facebook browser may limit features like the Menu. For the best experience, please tap (...) and choose 'Open in Browser'.

ITPro-Tips logo
Advertise
Photo by Kelly Sikkema / Unsplash
Intune enrollment CNAME records: do you really need them?

Intune enrollment CNAME records: do you really need them?

— 3 min read
Bastien Perez
Bastien Perez

A recurring question when you set up Windows device management with Microsoft Intune: "Do I really have to create the EnterpriseEnrollment / EnterpriseRegistration CNAME records?" The short answer is no. They are optional, and if you rely on automatic enrollment they bring you nothing. Let's clear this up, because it trips up a lot of people, and let's also settle the "you need Premium" part, because "Premium" is ambiguous.

What the enrollment CNAMEs actually do

When a user manually enrolls a Windows device (for example via Settings > Accounts > Access work or school, or through the Company Portal), Windows tries to discover the MDM enrollment server. The EnterpriseEnrollment CNAME is a DNS alias that points your domain at the Intune autodiscovery endpoint, so the user does not have to type the server address.

Two records are involved:

Type Host name Points to
CNAME EnterpriseEnrollment.yourdomain.com EnterpriseEnrollment-s.manage.microsoft.com
CNAME EnterpriseRegistration.yourdomain.com EnterpriseRegistration.windows.net
  • EnterpriseEnrollment handles enrollment autodiscovery.
  • EnterpriseRegistration is used for Microsoft Entra device registration (workplace join), which Conditional Access depends on.

If no EnterpriseEnrollment CNAME exists, enrollment is not blocked: the user is simply prompted to enter the server name manually (enrollment.manage.microsoft.com). So the CNAME is a convenience, not a requirement, and Microsoft states this explicitly.

Why you do not need it with automatic enrollment

If your devices enroll through MDM automatic enrollment (the device enrolls automatically when it joins or registers with Microsoft Entra ID), you do not configure CNAME records at all. When you turn on automatic enrollment in your tenant, the MDM server endpoints are configured by default, and the device gets them from Microsoft Entra ID, not from DNS autodiscovery.

Microsoft says it plainly:

If you're enrolling Windows devices by using MDM automatic enrollment, you don't have to worry about configuring CNAME records for your MDM server. The MDM server is configured by default when you enable MDM automatic enrollment in your tenant.

Source: Enable auto-discovery of Intune enrollment server (Microsoft Learn)

That covers the most common modern scenarios:

  • Microsoft Entra join + automatic enrollment
  • Windows Autopilot (user-driven and self-deploying)
  • Group Policy based enrollment
  • Bulk enrollment
  • Co-management with Configuration Manager

In all of these, the EnterpriseEnrollment CNAME does nothing for you. If you are in this case, creating it is pointless, and that is one less DNS record to maintain.

When the CNAME is still useful

Two different records, two different (legacy) cases:

  • EnterpriseEnrollment is only useful for pure user-driven manual enrollment, where you want to spare users from typing the MDM server name (typically BYOD without automatic enrollment).
  • EnterpriseRegistration is a different beast: it is about Microsoft Entra device registration (workplace join), not MDM enrollment, and it points to enterpriseregistration.windows.net. It matters essentially for Microsoft Entra hybrid join, where on-premises AD devices register to Entra ID and need to discover the registration service (this is the case especially with managed or federated domains, or non-routable UPN suffixes). The Intune documentation recommends configuring it "if you plan to use Conditional Access", because Conditional Access requires devices to be registered to Entra ID, but that recommendation targets the registration-discovery scenario above.

In cloud-native scenarios (Microsoft Entra join, or Entra-registered BYOD through automatic enrollment), device registration happens natively, so the EnterpriseRegistration CNAME is not required either. In other words, with automatic enrollment you need neither CNAME.

The "Premium" part: which Premium?

Automatic MDM enrollment is a premium Microsoft Entra feature. But "Premium" here is not a vague marketing word: it specifically means a Microsoft Entra ID P1 (or P2) license. Without it, the automatic enrollment settings are not even available in the Intune admin center.

The important nuance: you do not necessarily have to buy Entra ID P1 as a standalone SKU. P1 is included in several bundles you may already own:

  • Microsoft 365 Business Premium (small and medium businesses)
  • Microsoft 365 E3 and E5
  • Enterprise Mobility + Security E3 and E5

(Microsoft Entra ID P2 ships with Microsoft 365 E5 and EMS E5.)

So if you already have, for example, Microsoft 365 Business Premium or E3, you already have the Entra ID P1 that automatic enrollment requires. There is no separate "Premium" purchase to make.

Sources

  • Enable auto-discovery of Intune enrollment server: https://learn.microsoft.com/en-us/intune/intune-service/enrollment/windows-enrollment-create-cname
  • Set up automatic enrollment for Windows devices: https://learn.microsoft.com/en-us/intune/intune-service/enrollment/windows-enroll
  • Microsoft Entra licensing: https://learn.microsoft.com/entra/fundamentals/licensing
Intune
Microsoft Entra ID
Microsoft 365
Share

Comments

data-mapping="pathname" data-strict="0" data-reactions-enabled="0" data-emit-metadata="0" data-input-position="top" data-theme="preferred_color_scheme" data-lang="en" data-loading="lazy" crossorigin="anonymous" async>
banner-Bastien Perez
Bastien Perez avatar

Freelance Microsoft 365 - Active Directory - Modern Workplace

France