Device Enrollment Manager (DEM) in Intune

From Notes_Wiki
Revision as of 13:29, 28 July 2025 by Ansil (talk | contribs) (Created page with " Home > Microsoft Intune > Device Enrollment Manager (DEM) in Intune = Device Enrollment Manager (DEM) in Intune = == What is a DEM User? == A Device Enrollment Manager (DEM) is a special Azure AD user account used in Intune to enroll a large number of devices (up to 1000 per DEM account) on behalf of other users. DEM accounts are useful for shared or kiosk devices, lab environments, or where users don't perform self-enrollment. == How to Creat...")
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Home > Microsoft Intune > Device Enrollment Manager (DEM) in Intune


Device Enrollment Manager (DEM) in Intune

What is a DEM User?

A Device Enrollment Manager (DEM) is a special Azure AD user account used in Intune to enroll a large number of devices (up to 1000 per DEM account) on behalf of other users. DEM accounts are useful for shared or kiosk devices, lab environments, or where users don't perform self-enrollment.

How to Create a DEM User

1. Create a regular user in Microsoft Entra ID (formerly Azure AD) 

  - Go to https://entra.microsoft.com/
  - Navigate to Users > New user
  - Set username, password, and other details

2. Assign Intune license to this user 3. Assign the DEM role: 

  - Go to Microsoft Intune admin center: https://intune.microsoft.com/
  - Navigate to Tenant administration > Roles > All roles
  - Select "Device Enrollment Manager"
  - Add the user as a member

How to Use DEM

1. Log into a Windows device with the DEM credentials 2. Start the enrollment process (through Settings > Accounts > Access work or school) 3. The device is enrolled in Intune under the DEM account 4. After enrollment, any user can sign in and use the device

Use Cases

  • Kiosk mode or shared lab PCs
  • Pre-configured devices handed over to users
  • Enrollment in training or school environments
  • Devices without primary users

How to Manage DEM Devices

  • All DEM-enrolled devices appear under the DEM user in the Intune portal
  • Use device categories or dynamic groups to tag or organize these devices
  • Policies must be assigned using device groups, not user groups (since the DEM user is not the real user)

Demerits of DEM

  • Not user-specific: Devices enrolled via DEM don't reflect the real user identity
  • No per-user policies: User-targeted policies or apps won’t apply properly
  • Limited to 1000 devices per DEM user
  • Cannot use Autopilot or Conditional Access based on user
  • Manual work: DEM needs to enroll each device one by one

Best Practices

  • Use DEM only when user-driven enrollment is not possible
  • Use naming conventions and device categories to keep devices organized
  • Prefer Autopilot or user-based enrollment if feasible


Home > Microsoft Intune > Device Enrollment Manager (DEM) in Intune

Retrieved from "http://www.sbarjatiya.com/notes_wiki/index.php?title=Device_Enrollment_Manager_(DEM)_in_Intune&oldid=9265"