diff --git a/lib/auth/permissions.go b/lib/auth/permissions.go
index a76f63b3d80..ea6167e46f7 100644
--- a/lib/auth/permissions.go
+++ b/lib/auth/permissions.go
@@ -670,6 +670,7 @@ func definitionForBuiltinRole(clusterName string, recConfig types.SessionRecordi
 					WindowsDesktopLabels: types.Labels{types.Wildcard: []string{types.Wildcard}},
 					Rules: []types.Rule{
 						types.NewRule(types.Wildcard, services.RW()),
+						types.NewRule(types.KindDevice, append(services.RW(), types.VerbCreateEnrollToken, types.VerbEnroll)),
 					},
 				},
 			})
diff --git a/lib/services/role.go b/lib/services/role.go
index 8656e601e2b..f092b428b37 100644
--- a/lib/services/role.go
+++ b/lib/services/role.go
@@ -707,7 +707,7 @@ func RoleSetFromSpec(name string, spec types.RoleSpecV6) (RoleSet, error) {
 	return NewRoleSet(role), nil
 }
 
-// RW is a shortcut that returns all verbs.
+// RW is a shortcut that returns all CRUD verbs.
 func RW() []string {
 	return []string{types.VerbList, types.VerbCreate, types.VerbRead, types.VerbUpdate, types.VerbDelete}
 }