DeviceEnroller.exe

Microsoft Intune Device Enrollment Client

Application ProcessSafeDevice Management

CPU Usage

1-8%

Memory

50-150 MB

Location

C:\Windows\System32

Publisher

Microsoft Corporation

Quick Answer

deviceenroller.exe is safe. It's the legitimate Microsoft Intune Device Enrollment Client used to enroll Windows devices into an MDM/Intune environment. It runs to configure policies and apps during enrollment.

Is it a Virus?

✔ NO - Safe

Must be in C:\Windows\System32\DeviceEnroller.exe

Warning

Many processes normal

Enrollment tasks may spawn multiple child processes during provisioning (policy, app install, and telemetry).

Can I Disable?

✔ YES

Disabling could interrupt enrollment and policy application; disable only when enrollment is not in progress.

What is DeviceEnroller.exe?

deviceenroller.exe is the Windows enrollment helper used by Microsoft Intune to provision devices. It runs during initial setup or enrollment cycles to apply configuration profiles, deploy enterprise apps, and register the device with the organization. The tool launches briefly and works behind the scenes to complete provisioning.

This executable coordinates enrollment tasks via the Windows Enrollment framework, authenticates with the MDM server, downloads policies, and triggers app installations. It operates as a background service during enrollment and uses TLS for server communication while sandboxed from user data.

Quick Fact: DeviceEnroller.exe is part of modern Windows enrollment; it orchestrates policy and app deployment during initial setup and keeps the device in sync with the MDM server.

Types of Device Enroller Processes

Enrollment Orchestrator: Main enrollment flow that coordinates policy application and app deployment
Policy Engine: Applies configuration profiles from the MDM server
App Installer: Installs enterprise apps required by the organization
Network Communicator: Handles TLS/HTTPS communication with enrolment servers
Telemetry/Status Reporter: Sends enrollment status and telemetry to the MDM service
Utility/Background Tasks: Background housekeeping and enrollment-related tasks

Is deviceenroller.exe Safe?

Yes, deviceenroller.exe is safe when it's the legitimate file from Microsoft downloaded from official sources (microsoft.com or Windows Update).

Is deviceenroller.exe a Virus or Malware?

The real deviceenroller.exe is NOT a virus. However, malware may masquerade with similar names to trick users.

How to Tell if deviceenroller.exe is Legitimate or Malware

File Location: Must be in C:\Windows\System32\DeviceEnroller.exe or C:\Program Files\DeviceEnrollment\DeviceEnroller.exe. Any other location is suspicious.
Digital Signature: Right-click the file in Explorer → Properties → Digital Signatures. Should show "Microsoft Corporation" as signer.
Resource Usage: Normal enrollment usage is modest (1-8% CPU, 50-150 MB memory). Persistent high usage outside enrollment is suspicious.
Behavior: DeviceEnroller.exe should run during enrollment windows only. If it runs when not enrolling or after removal from management, suspect tampering.

Red Flags: If deviceenroller.exe is located in unusual folders (like Temp or AppData), runs when enrollment isn't active, has no valid signature, or uses abnormal resources, scan your system with antivirus software. Beware of similarly named files like "deviceenroller32.exe" from untrusted sources.

Why Is deviceenroller.exe Running on My PC?

deviceenroller.exe runs when you enroll Windows devices into an MDM like Microsoft Intune or when enrollment tasks are scheduled by organizational policies and startup logic.

Reasons it's running:

Active Enrollment Session: Enrollment is in progress as the device registers with the MDM and applies profiles.
Background Enrollment Tasks: Background provisioning tasks run to ensure policies and apps are configured after first login.
Policy Synchronization: Device periodically syncs policies and compliance rules with the management server.
App Deployment: Your organization may deploy apps as part of the enrollment package.
System or OS Updates: Post-update re-provisioning may trigger enrollment routines to re-apply configuration.

Can I Disable or Remove deviceenroller.exe?

Yes, you can disable deviceenroller.exe temporarily. It is part of enrollment; disabling might interrupt enrollment and policy application. You can remove or disable enrollment via Windows Settings or group policy if you manage the device.

How to Stop deviceenroller.exe

Pause Enrollment by Disconnecting from Work or School: Open Settings > Accounts > Access work or school, select the organization, then Disconnect.
Disable Enrollment from Startup: Open Task Manager > Startup, disable enrollment-related startup items if present.
Stop Enrollment services (if available): Open Services (services.msc), locate services related to device enrollment and set to Disabled.
Restart: Restart the device to apply changes.
Re-enable when needed: You can re-connect to work or school when enrollment is desired.

How to Uninstall Device Enrollment Client

✔ Windows Settings → Accounts → Access work or school → Disconnect the organization account
✔ Remove Company Portal app if installed: Settings → Apps → Company Portal → Uninstall
✔ Reset this PC to remove enrollment configurations and re-enroll later

Common Problems: High CPU or Memory Usage

If deviceenroller.exe is consuming excessive resources:

Common Causes & Solutions

Active Enrollment Sessions: Wait for enrollment to complete or terminate extra enrollment tasks via management console.
Background Policy Updates: Review and adjust policy update frequency or temporarily pause updates via the MDM.
Network Connectivity Issues: Ensure stable network access to the enrollment servers (TLS/HTTPS). Check firewall and proxy settings.
App Deployment Load: Limit simultaneous app installations; review Intune app deployment policies.
Corrupt Enrollment Cache: Leave and re-enroll or reset enrollment data via proper organizational channels.
Conflicting Security Software: Temporarily disable conflicting security tools during enrollment provisioning.

Quick Fixes:
1. Open Settings and disconnect from work or school to stop enrollment activity
2. Restart enrollment services or reboot the device
3. Check Task Manager for deviceenroller.exe processes and end non-critical ones
4. Review and limit enterprise app deployments in the MDM
5. Ensure Windows and Intune client are up to date

Frequently Asked Questions

What is deviceenroller.exe?

deviceenroller.exe is the Microsoft Intune Device Enrollment Client used to provision Windows devices, apply policies, and install enterprise apps during enrollment.

Is deviceenroller.exe a virus?

No, the legitimate deviceenroller.exe from Microsoft is not a virus. Verify the file path (C:\Windows\System32\DeviceEnroller.exe) and digital signature from Microsoft Corporation.

Why is deviceenroller.exe running at startup?

Enrollment components may run during initial setup or when policy changes require re-provisioning. If you’re not enrolling, investigate startup items and connected work accounts.

Can I disable deviceenroller.exe?

Yes, temporarily disabling enrollment is possible by disconnecting from work or school, or stopping related services. Do not disable if your device must stay managed.

How do I remove device enrollment from my PC?

Disconnect from the organization account in Settings > Accounts > Access work or school, uninstall Company Portal if present, or reset the PC if you must wipe enrollment data.

Why are there multiple deviceenroller.exe processes?

Enrollment uses a multi-process approach: an orchestrator, policy engine, and app installer may run concurrently to provision and configure the device.