In this post I am going to discuss on how enroll Windows devices to Intune as there are several different ways and methods to do that.
- Why Enroll devices to Intune
- Prerequisites for Enrolling devices to Intune
- Various Enrollment methods
Why Enroll devices to Intune
To manage the device through MDM authority such as Intune, we need to enroll the device to Intune Service which allows Intune to control the device and can push various applications, settings, policies and other things such resetting/ wiping/restarting device etc.
Microsoft Intune is tightly integrated with Azure AD, or we can say it relies on Azure AD heavily. You might see users / groups and other commons settings available both on Azure AD Portal and MEM Admin center (Intune Portal).
Enrolling the device has to go through 2 phases:
- Device gets registered in Azure AD.
- Device then gets enrolled to Intune. At this stage MDM certificate is created for device which is necessary to communicate with Intune service.
Majorly I will be focusing on Windows device enrollment in this blog.
Prerequisites for Enrolling devices to Intune
There are few prerequisites which are required to enrolled the devices.
- Once Intune setup is done, MDM authority should be set to Microsoft Intune. This can be verified by logging on to MEM admin center and navigate to Tenant administration, under Tenant admin > Tenant details you can verify this.
- Intune license should be assigned to user.
- Following operating systems are supported for Intune:
Various Enrollment methods
Personally owned and corporate-owned devices can be enrolled to Intune. There are two ways to enroll the devices:
- User Driven: Users have to perform the enrollment on their own.
- Automatic Enrollment: This includes admin side settings which requires configuring policies which will force device for automatic enrollment. User’s won’t have to perform any kind of task here.
User Driven Enrollment
This is the method where enrollment is driven by the user. This can be done through either of the following ways:
Using Company Portal App
Can be enrolled by installing Company Portal App through Microsoft Store. Once you provide the credentials, device gets enrolled. This is the scenario for BYOD (Bring your own device).
If Auto enrollment is enabled (which requires Azure AD P1 / P1), user have to add the credentials once or else they need to enroll separately through MDM only enrollment.
From Microsoft Store, install Company Portal (you don’t need to login with Microsoft credentials to download it. Once downloaded, launch Company portal, provide credentials and device will get enrolled into Intune.
Access work or school account
Another method of enrolling the device is by navigating to Start Menu > Settings > Accounts > Access work or school account and click on Connect.
Rather than providing the username, click on Join this device to Azure Active Directory, this will register the device in Azure Active Directory and also enroll the device based upon MDM user scope setting specified for specific user to autoenroll the device.
Once device is enrolled, you can verify the status of Azure AD Join by opening command prompt and running following command: dsregcmd /status
Under Device State, you can see AzureAdJoined showing as Yes.
MDM only enrollment
The meaning of MDM only enrollment is that it only enrolls the device to Intune but does not get registered to Azure AD. Hence, this approach makes it lest preferred way of enrolling the device.
Devices on Workgroup, Active Directory or Azure Active Directory joined can be enrolled into Intune.
Device can be enrolled by navigating to Start > Settings > Access work or school on Windows 10 / Windows 11 devices. You need to click on Enroll only in device management rather than clicking on “Connect”
As you can see this is giving option to enter the email address only, hence it won’t get registered in Azure AD.
Why we should not be using the MDM only enrollment:
- As device doesn’t register in Azure AD, user’s might not be able to access organization’s resources such as email.
- Azure AD features can’t be used such as Conditional Access.
During OOBE phase (out-of-box experience), autopilot takes care of the Intune enrollment process which asks for user credentials. The process not only registers the device to Azure Active Directory but also enrolls it to Intune.
Device Enrollment Manager (DEM)
An Azure AD user account can be promoted to Device Enrollment manager which Intune license assigned. This user account can enroll up to 1000 devices. While any other non-admin standard user account can enroll 15 devices only.
This is a special use case where this account should not be used as a standard account as it comes with lots of restrictions. Check the link to see limitations and restrictions for DEM accounts. As this is a device based user account, no applications can be deployed if made available via Intune. Same thing applies for Wi-Fi and email connections which requires device-level certificates instead of user level certificate.
We can also say it Administrator-based enrollment as it is not user driven. Once the configuration settings are done, devices can be enrolled automatically as there is no user interaction required.
Automatic enrollment via Group policy
This is the scenario for Hybrid Azure AD join, which means devices joined to Active Directory and Azure Active Directory (both).
Hybrid Azure AD = AD Join + Azure AD Join
For Hybrid Azure AD devices, it relies on Microsoft Azure Active Directory Connector which is responsible for syncing the devices / users / groups to Azure AD. To understand Azure AD connector, think it like bridge which connects your on-premises infrastructure to Azure AD.
Once Hybrid Azure AD join configuration is in place. We need to have group policy to enroll devices to Intune.
Login to the server, launch Group Policy Management (gpmc.msc), create or edit existing policy and navigate to Computer Configuration > Policies > Administrative Templates > Windows Components > MDM. Setting name is Enable automatic MDM enrollment using default Azure AD credentials, set it to:
Select Credential Type to use: User Credential
Automatic enrollment using SCCM Co-management feature
Configuration Manager Co-management: Once SCCM Cloud attach is configured, we can set the enrollment settings here. The end goal will be same like group policy, but here we have more advantages as we have dual advantage as device can be co-managed between SCCM and Intune. We also have full control to target all SCCM devices with SCCM client installed or specific collection which is much more preferred way.
Benefit of Configuration Manager policy over Group policy is that, Co-management features can be used to define the various workload to be handled between SCCM and Intune, along with option to select a pilot collection.
Hence, if organizations are not fully ready to move towards intune, this is the best option as they can use the strategy to with one workload at a time to move towards Intune, once successful, you can move other workloads as well to Intune.
This co-management feature of SCCM is done once we Configure Cloud Attach.
Open Configuration manager console, navigate to \Administration\Overview\Cloud Services\Cloud Attach, you will see option to Configure Cloud Attach. As I have already configured it, click on Properties.
Click on tab Enablement, as you can see I have selected Pilot collection which prevents me to enroll all devices. This is selected as Intune auto enrollment which creates local policy for device.
Various workloads can be seen as:
- Compliance policies
- Device configuration
- Endpoint Protection
- Resource access policies
- Client apps
- Office Click-to-Run apps
- Windows Update policies
For more details you can check SCCM Co-management capabilities and workload explained.
You need to create provisioning package using WCD (Windows Configuration Designer). WCD App can be installed either using:
- Microsoft Store App
- It comes as a part of Windows Assessment and Deployment kit (ADK) for Windows 10
For more details, check the link on how to create provisioning package using Windows Configuration Designer.
Using WCD, we create provisioning package in ppkg format which can now be installed on users device to enroll the device.
Creating package requires bulk enrollment token, which asks for user credentials. Hence, users with following roles are allowed to create the package for the purpose of bulk enrollment token:
- Global Administrator
- Cloud Device Administrator
- Intune Administrator
- Password Administrator
Provisioning of Bulk Enrollment can be applied:
- During initial setup
- After Initial setup
- Apply directly on Windows device
Enrolling Windows IoT Core devices
To manage enrollment of IoT Core devices, this kind of enrollment method is used.
For enrolling the device into Intune, we have to use Windows IoT Core Dashboard to prepare the device. Once this is done, we need to create Windows Configuration Designer to create a provisioning package as discussed in previous section.
SD Card Media is required in this case. Provisioning package created using WCD needs to be copied to microSD card which will be used for enrolling the device.