Managing Windows 10 with Intune – The Many Ways to Enrol

There are many ways to enrol Windows 10 devices into Microsoft Intune for device management. Some are User-driven and some controlled by IT administrators, Some exist to support BYOD programs and others to streamline modern provisioning scenarios and management for corporate-owned devices.

Each enrolment method can have different setup requirements and behaviours.

The meat of this post is the enrolment matrix below. It’s meant to be a be a good reference for IT admins and architects embarking on Windows 10 Management projects to view all the available scenarios and help find the right documentation needed to get started with Windows 10 enrolment into Intune. Hope it helps!

Update 3 Sept 18 – The statement above proved to be right – Thanks to MSFT support gurus Radu and Mihai for pointing out to me a 10th scenario — I’ve added Enrol in MDM Only (Device Enrollment Manager)

Update 14 Nov 18 – Added Hybrid Azure AD (AutoPilot)

Update 14 Mar 19 – Updated the matrix to show Intune Primary User and capabilities

Update 29th April 19 – Updated matrix to show support for DEM and Conditional Access. (Thanks Roger Southgate!)

Here is a quick description of each of the scenarios mentioned in the grid:

Scenario 1: Add work or school Account (User Driven)

This enrolment method is typically used in BYOD scenarios. Once configured, users can be provided instructions on how to access “set up a work or school account” from the settings.

Scenario 2: Modern App Sign-in (User Driven)

This enrolment method is typically used for BYOD scenarios. Once configured, a logon to a Modern Windows 10 App (e.g. OneNote or Store), or Office ProPlus using a work account will trigger enrolment.

Scenario 3: Enrol in MDM Only (User Driven)

This method of enrolment is for enrolling directly into Intune. This form of enrolment is often used for BYOD, particularly in environments that do not have Azure AD Premium licenses required to perform the automated enrolment provided with other methods.

Scenario 4: Azure AD Join (OOBE)

This method of setup and enrolment is a user driven enrolment via the Out of Box Experience. By choosing “Setup for an organisation” and using work account to sign in, the device becomes Azure AD Joined and automatically enrolled into Intune.

Scenario 4.1: Azure AD Join (After OOBE)

This method of  enrolment is a variation of the above. It is initiated from the settings menu after a windows profile has already been setup. For cases where a user has already setup a Windows user profile, they can go to “Add a work or School Account” , then select “Join this device to Azure Active Directory”. Once rebooted, the user can logon with their Azure AD credentials and the device will become enrolled into Intune.

Scenario 5: Azure AD Join (AutoPilot)

This method of setup and Intune enrolment is user driven, however the OOBE experience is customised to the organisation. Many of the OOBE screens can be skipped to ensure a smoother setup experience for end users.

Scenario 6: Hybrid Azure AD Join (AutoPilot)

This is the newest method of enrollment made available in Windows 10 1809.The end user experience is almost the same as Azure AD Join (AutoPilot) scenario above, the main difference is that the admin configures Hybrid Azure AD Join when creating the AutoPilot profile and configures a connector between AD -> Intune.
Scenario 7: Enrol in MDM Only (Device Enrollment Manager)

This method of setup is very simlilar to Scenario #3 except it is performed by IT admins using a special type of account – A Device Enrollment Manager (DEM) Account. This account can be used to enrol up to 1000 devices into Intune.  The IT administrator who is performing the enrollment needs to have access to local administrator credentials to complete the enrollment from the settings menu.

Scenario 8: Azure AD Device Registration + Automatic Enrolment Group Policy Object

Intune enrolment for Domain joined Windows 10 devices can be automated using a GPO “Enable Automatic MDM enrolment using default Azure AD Credentials”

Note: This is different to Azure AD Device Registration GPO. That GPO will only control the registration of the device and make it “Hybrid Azure AD Joined”, it will not enrol the device into Intune.

Before Enabling GPO

Device Registration Cert (Local computer store)

After Enabling GPO

Intune Certificate (SC_Online_Issuing) is present in local computer certificate store

Scenario 9: SCCM Co-Management

Co-management is the best way to enrol existing device fleet that is already being managed by Configuration Manager. Once enabled, the device will be able to be managed by SCCM and Intune, leveraging the best features of both.

CoManagmementHandler.log can show successful enrolment via this method.

Scenario 10: Azure AD Join (Bulk Enrolment)

Bulk enrolment is the name given to devices Azure AD Joined using a Bulk enrolment token. A bulk enrolment token can be created by IT admins using “set up school PCs” or Windows configuration Designer apps from the store. In this scenario, the IT admin prepares Windows devices with a USB key (Azure AD Join and Intune enrolment) ready for first user logon.

Scenario 11: Azure AD Join (AutoPilot Self Deploying Mode)

This enrolment scenario is primarily for userless devices such as kiosks. The setup experience is the most streamlined out of any of the others, allowing all OOBE screens to be skipped after the device is first powered on.

The Azure AD Join and Intune enrolment is fully automated without any user interaction.

It’s currently in preview and can be configured by choosing these options in your autopilot profile in the Intune console:

If you find an enrolment scenario I haven’t listed here, please let me know in the comments!

Leave a Reply

Your email address will not be published. Required fields are marked *