Intune Enrollment: Windows Part I

In the last blog(put link here to previous post) we discussed about Intune fundamentals and the services offered. The first component we will discuss is Intune Enrollment for Windows.

Device enrollment is a process of engaging a device with Intune. The process which makes the devices under administration of Intune for device management.

Intune as a device management tool does works seamlessly with OS like Android, iOS, Windows, MacOS and counting.

We will start our enrollment journey with Windows Platform. One of the most widely used operating system. It is so very important that a UEM tool to be successful must have a very good grip over Windows given the market share it covers for enterprises.

Let’s get started with Windows enrollment!!!

Primarily, on a very high-level Windows enrollment can be categorized into two sections:

1. Self-enrollment of windows devices by the users.
2. Enrollment by admins without any user intervention.

Let us dig down a level deeper and understand both.

1. Self-enrollment of windows devices by the users

As the name clearly suggests, this type of enrollment is carried by end user. Some manual interventions are needed.

Majorly there are four type of enrollment which falls under this category.

1. Bring your own device (BYOD): Bring your own analogy is pretty much trend these days. In our world the intend is that the users will get their personal device for the corporate use. The device will be flagged as personal owned.

The end user will enroll the device manually in two ways.

• Navigate to Work and school access> click on connect and sign in with corporate credentials.

• Using Company Portal application and singing in with corporate credentials.

• MDM only enrollment: This option enables users only to enroll the device into Intune. The device doesn’t get registered in Azure Active Directory and prevents the use of some features such as conditional access, hence this isn’t a recommended option.

The device will be flagged as personal owned.

• Azure Active Directory Joined: The user can join the device to Azure Active Directory by navigating to Settings> Accounts> Work and School Access > Join the device to Azure Active Directory. This required Auto enrollment to be enable (comes with Azure AD premium subscription). Once done user can login to Windows using the corporate credentials as well.

The device will be flagged as corporate owned in this scenari

• Windows Autopilot: This is an automated process which leverages Auto enrollment and customized out of box experience for Windows 10. There are three ways in which autopilot can be used:
• Self-Deploying mode
• User Driven Mode
• Autopilot for existing devices

• Enrollment by Admins:

Administrators can set up the corporate devices using the following methods which do not require user to manually enroll the device.

1. Hybrid Azure AD Joined: Admin can set up Active Directory group policy to enable enrollment of domain joined devices and leverage both AAD and local AD.

• Co-management with SCCM: Admins can configure devices managed with Intune as well as SCCM using the co-management functionality. By dividing the workloads, leverage the benefits of SCCM and Intune.

• Device Enrollment Manager: A special service account which has the permission to enroll up-to 1000 devices. Comes with multiple limitations but very useful for scenarios with shared and point to point use.

• Bulk Enrolment: Making the use of provisioning packages using an application like Windows Configuration Designer (WCD), admins can join bulk devices for corporate users and enroll them in Intune during OOBE experience only.

This was an overview on how many ways Intune Enrollment for Windows can performed. In upcoming blogs, we will touch base every method of enrollment with steps to set up and some best practices.

Until Next time, Cheerio!!