Enrolling Windows Devices in Microsoft Endpoint Manager

The first step is to decide how you are going to enroll your Windows devices into MEM. There are a few different enrollment options. The easiest enrollment solution I have found for enrolling company-owned devices thus far is to configure an Azure Active Directory security group that contains the users you wish to be managed by MEM. These users do need to be licensed properly for Microsoft Endpoint Manager. Once that security group is configured and users are added, you can add the newly made security group to the Automatic Enrollment option in MEM. To do so, in the MEM admin center click Devices in the left pane, click Enroll Devices, then click Automatic Enrollment. From here, you can add the newly made security group under Groups so that the licensed users in the group have their devices rolled enrolled into MEM. Note that you will want to change your Scope to Some if you want to control which users/devices are enrolled. 

You can view a list of enrolled devices under Devices > All Devices. For organizations supporting BYO devices that are still required to meet certain compliance and configuration standards to access company data, MEM extends its management capabilities to BYO devices as well. BYO devices can be enrolled in the same method described above but note that management features are limited for BYOD as they are with company-owned devices. Once you have a device or a few devices enrolled in MEM I suggest creating a map of compliance standards that fits your company’s security needs. For example, what are the requirements your devices must meet in order to access company data? What requirements do your devices need to have to stay within your organization’s security model? Once defined, compliance standards can be configured.