Forum Discussion
Intune Licensing - Device Enrolment
I am looking for some information on Intune and Device enrolment licensing.
Currently, we have Microsoft Entra ID P1. Our setup is in a Hybrid environment. My account (Device Enrolment Manager) has a Microsoft E3 license, which includes Intune. I have configured Enrollment profiles, app deployment, Intune connector for AD, etc.
I can enroll devices in Intune using Automatic Enrolment or Autopilot using a single DEM account; then, this device will be given to a different user.
For now, I just want to confirm that if I was able to enrol few devices using my account, and I believe there is a limit of 1000 per DEM, does that mean if we do not require an Intune device-only license and if we don't need additional Intune capabilities I am ok to keep enrolling Devices using single Device Enrolment manager account?
I just want to make sure we are not breaking any MS license agreements. Or do you require an Intune license as soon as the device is enrolled in Intune, regardless of whether you require additional Intune features?
Thanks!
In your scenario, where you're using Microsoft Intune for device enrollment with Microsoft Entra ID P1 and a Microsoft E3 license, here's a breakdown of the licensing and rules around device enrollment:
1. Intune Device Enrollment with Microsoft E3 License
- Microsoft E3 license includes Intune, which allows you to manage and enroll devices. You can enroll devices (whether they are Windows, macOS, iOS, or Android) using Automatic Enrollment or Autopilot.
- Device Enrollment Manager (DEM) account allows you to manage multiple devices (up to 1,000 devices per DEM account). This is part of the Intune service in the Microsoft 365 E3 license.
Important Considerations:
- A DEM account can be used to enroll devices, but the devices you enroll still need to be licensed for Intune. This means that the device itself must have an appropriate license for Intune management, such as a Microsoft Intune Device license or a Microsoft 365 E3/E5 license.
- Microsoft Entra ID P1 provides the necessary identity and access management features, but Intune licensing is separate and needs to be considered when devices are enrolled.
2. License Requirements for Devices
- No Additional License Required for Device Enrollment: As long as you're using the Device Enrollment Manager (DEM) account for device enrollment, and you're not using any additional Intune features beyond basic device enrollment and management, you generally don’t need additional licenses for the DEM account itself.
- Device Licensing: The key part here is that each device needs to be licensed for Intune. Devices enrolled via Automatic Enrollment or Autopilot must have either:
- A Microsoft 365 license (e.g., E3/E5) that includes Intune, or
- A standalone Intune device license.
- If a device is only used for enrollment and doesn't require Intune management (e.g., it's simply a device that’s joined to Azure AD but doesn’t require ongoing management), it might not need an Intune license, but this is generally an exception.
3. Device License Requirements Post-Enrollment
- Once a device is enrolled in Intune, it will typically need to be licensed for Intune management for the device to continue to receive policies, configurations, and app deployments.
- If you're using Microsoft 365 E3, the device is already licensed for Intune as long as it’s assigned to a user with that license. The user’s license will cover Intune management for their device.
4. Is an Intune Device-Only License Required?
- If you're managing devices via Microsoft Intune and not using any additional advanced Intune features (like security policies, conditional access, etc.), you can technically get by with just Microsoft 365 E3 licenses for the users.
- However, each device needs to be assigned a Microsoft 365 license or an Intune device license if it's going to be managed through Intune.
5. Breakdown of Key Points:
- DEM Account: Allows for enrolling devices (up to 1,000 devices) and doesn’t require additional Intune licenses for the account itself.
- Device Licensing: Devices enrolled via DEM need an Intune license (via Microsoft 365 E3 or standalone Intune license). This is essential for managing the device with Intune, even if you’re not using advanced Intune features.
- Automatic Enrollment: This can be used to automatically enroll Windows devices into Intune without requiring additional licenses, as long as the device has a valid Microsoft 365 or Intune license.
Conclusion:
- If you’re using Microsoft 365 E3 for your users, and devices are being enrolled by a Device Enrollment Manager (DEM) account, you should be compliant with Microsoft’s licensing terms as long as the devices are licensed with Microsoft 365 E3 or a standalone Intune license.
- No additional Intune licenses are required specifically for the DEM account, as long as you're not using additional advanced features.
Thank you for the reply; it is a very detailed and helpful explanation. So it looks like the fact that we can do it doesn't necessarily mean we are licensed for it?!
We were testing using Autopilot & app, settings, and endpoint security deployment, which has worked using the DEM account. So, I assume if we continue using those features for all devices that are enrolled via DEM, we will require, at minimum, an Intune device-only license.
- Autopilot, App Deployment, Settings, and Endpoint Security Deployment: If you're using these features via DEM to enroll and manage devices, you'll need to ensure that each device is licensed for Intune—either through the Microsoft 365 E3/E5 license assigned to the user or through a standalone Intune device-only license.
- Intune Device-Only License: If you're managing devices without assigning a Microsoft 365 license to the user (or if the device is not tied to a user account with an eligible Microsoft 365 license), then the device will require an Intune device-only license for the management features you’re using.
Final Thoughts:
- You are on the right track: continuing to use Autopilot and other management features for devices enrolled through DEM means you will need to ensure you have the correct Intune licenses in place for those devices. Without the appropriate Intune device licenses, some features might not work as expected, and you could potentially run into compliance issues with Microsoft licensing terms.
If you're assigning a single primary user to each device then its the USER that carries the licence for intune management. MS365 BusPremium as a minimum includes Intune.
If its going to be a shared device then an intune device licence is required, but there are other caveats to that too i believe.
Edit: Why are you manually doing it all through your DEM. Would autopilot not be better? Hand the new (or repurposed) device to the users, when they turn it on and log in with their licenced account it configures it accordingly to what group they are in?
Autopilot would be better, and we have tested that for a few devices. Unfortunately, we are in Hybrid Azure AD Join, and from all the research I have done, I can see that HAADJ is a nightmare to configure with pre-logon VPN, etc.
Also, I was under the assumption that our Microsoft Entra ID P1 allows Autopilot deployment without a device using an Intune license, but as per the excellent and detailed response, we need some type of Intune device license to leverage Autopilot deployment.
Basically, our IT supplier/vendor can register devices to our Azure tenant for Autopilot deployment. Those devices get delivered to our office, and the IT team then deploys them via Autopilot, with no need to manually register devices/hardware hash via PowerShell command.
But it seems that the fact that we can do it doesn't necessarily mean we are allowed to do it?! as we could potentially break some type of licensing agreement by deploying Devices using a single DEM account and leverage Autopilot deployment and Deployment profiles, which include Domain Join and Apps installations.
Basically, we don't require any other Intune add-ons, simply using Autopilot rather than MDT for device deployment.
Hopefully, the above makes some sort of sense.
