Managing Windows 10 with Intune – The Many Ways to Enrol


There are many ways to enrol Windows 10 devices into Microsoft Intune for device management. Some are User-driven and some controlled by IT administrators, Some exist to support BYOD programs and others to streamline modern provisioning scenarios and management for corporate-owned devices.

Each enrolment method can have different setup requirements and behaviours. I was going to title this blog "The 9 ways to enrol in Intune" – it had a nice ring to it but I knew the title would end up being wrong in no time.

The meat of this post is the enrolment matrix below. It's meant to be a be a good reference for IT admins and architects embarking on Windows 10 Management projects to view all the available scenarios and help find the right documentation needed to get started with Windows 10 enrolment into Intune. Hope it helps!

Update 3/9/18 - The statement above proved to be right - Thanks to MSFT support gurus Radu and Mihai for pointing out to me a 10th scenario -- I've added #6: Enrol in MDM Only (Device Enrollment Manager)

Here is a quick description of each of the scenarios mentioned in the grid:

Scenario 1: Add work or school Account (User Driven)

This enrolment method is typically used in BYOD scenarios. Once configured, users can be provided instructions on how to access "set up a work or school account" from the settings.

https://docs.microsoft.com/en-us/windows/client-management/mdm/mdm-enrollment-of-windows-devices#connecting-personally-owned-devices-bring-your-own-device

Scenario 2: Modern App Sign-in (User Driven)

This enrolment method is typically used for BYOD scenarios. Once configured, a logon to a Modern Windows 10 App (e.g. OneNote or Store), or Office ProPlus using a work account will trigger enrolment.

https://docs.microsoft.com/en-us/windows/client-management/mdm/mdm-enrollment-of-windows-devices#connecting-personally-owned-devices-bring-your-own-device

Scenario 3: Enrol in MDM Only (User Driven)

This method of enrolment is for enrolling directly into Intune. This form of enrolment is often used for BYOD, particularly in environments that do not have Azure AD Premium licenses required to perform the automated enrolment provided with other methods.

https://docs.microsoft.com/en-us/windows/client-management/mdm/mdm-enrollment-of-windows-devices#connecting-to-mdm-on-a-desktop-enrolling-in-device-management

Scenario 4: Azure AD Join (OOBE)

This method of setup and enrolment is a user driven enrolment via the Out of Box Experience. By choosing "Setup for an organisation" and using work account to sign in, the device becomes Azure AD Joined and automatically enrolled into Intune.

https://docs.microsoft.com/en-us/intune/windows-enroll

Scenario 5: Azure AD Join (AutoPilot)

This method of setup and Intune enrolment is user driven, however the OOBE experience is customised to the organisation. Many of the OOBE screens can be skipped to ensure a smoother setup experience for end users.

https://docs.microsoft.com/en-us/intune/enrollment-autopilot

 

Scenario 6: Enrol in MDM Only (Device Enrollment Manager)

This method of setup is very simlilar to Scenario #3 except it is performed by IT admins using a special type of account - A Device Enrollment Manager (DEM) Account. This account can be used to enrol up to 1000 devices into Intune.  The IT administrator who is performing the enrollment needs to have access to local administrator credentials to complete the enrollment from the settings menu.

https://docs.microsoft.com/en-us/intune/device-enrollment-manager-enroll

Scenario 7: Azure AD Device Registration + Automatic Enrolment Group Policy Object

Intune enrolment for Domain joined Windows 10 devices can be automated using a GPO "Enable Automatic MDM enrolment using default Azure AD Credentials"


Note: This is different to Azure AD Device Registration GPO. That GPO will only control the registration of the device and make it "Hybrid Azure AD Joined", it will not enrol the device into Intune.

Before Enabling GPO

Device Registration Cert (Local computer store)

After Enabling GPO

Intune Certificate (SC_Online_Issuing) is present in local computer certificate store

https://docs.microsoft.com/en-us/windows/client-management/mdm/enroll-a-windows-10-device-automatically-using-group-policy

Scenario 8: SCCM Co-Management

Co-management is the best way to enrol existing device fleet that is already being managed by Configuration Manager. Once enabled, the device will be able to be managed by SCCM and Intune, leveraging the best features of both.

CoManagmementHandler.log can show successful enrolment via this method.

https://docs.microsoft.com/en-us/sccm/core/clients/manage/co-management-overview

Scenario 9: Azure AD Join (Bulk Enrolment)

Bulk enrolment is the name given to devices Azure AD Joined using a Bulk enrolment token. A bulk enrolment token can be created by IT admins using "set up school PCs" or Windows configuration Designer apps from the store. In this scenario, the IT admin prepares Windows devices with a USB key (Azure AD Join and Intune enrolment) ready for first user logon.

https://docs.microsoft.com/en-us/windows/client-management/mdm/bulk-enrollment-using-windows-provisioning-tool

Scenario 10: Azure AD Join (AutoPilot Self Deploying Mode)

This enrolment scenario is primarily for userless devices such as kiosks. The setup experience is the most streamlined out of any of the others, allowing all OOBE screens to be skipped after the device is first powered on.

The Azure AD Join and Intune enrolment is fully automated without any user interaction.

It's currently in preview and can be configured by choosing these options in your autopilot profile in the Intune console:

https://docs.microsoft.com/en-us/intune/enrollment-autopilot

If you find an enrolment scenario I haven't listed here, please let me know in the comments!

Comments (0)

Skip to main content