Forum Discussion
Desktop support enrolling Autopilot devices - DeviceCapReached error
A device enrollment manager (DEM) is a nonadministrator user who can enroll devices in Intune. Device enrollment managers are useful to have when you need to enroll and prepare many devices for distribution. People signed in to a DEM account can enroll and manage up to 1,000 devices, while a standard nonadmin account can only enroll 15.
https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll
That is the second option I mentioned in my post -
The next option is using a device enrollment manager account, but the https://learn.microsoft.com/en-us/mem/intune/enrollment/device-enrollment-manager-enroll?source=recommendations mentions it enrolls the device in shared mode and that device limits won't work on devices enrolled this way. It also says "Do not delete accounts assigned as a Device enrollment manager if any devices were enrolled using the account. Doing so will lead to issues with these devices." but doesn't elaborate further. So, this option seems like a dead end.
According to https://learn.microsoft.com/en-us/answers/questions/1286676/dem-account , deleting the DEM account would mean re-enrolling all of the devices this account were used on. But if we've got an idle DEM account that's been used up, and sitting in our tenant without use, what are the security implications?
I would proceed as follows. I would create a 'non-personalized user' in Entra, assign an appropriate license to it, and register it as a DEM. Once all devices are deployed, and I no longer need the DEM, I would remove the user from the setting but not delete it in Entra. This way, I won’t have any issues with the devices, and if I need a DEM again, I’ll have it ready.
