10 WAYS to Enrol Windows 10 Devices!

In today’s cloud-first world, IT departments increasingly want to let employees bring their own devices (BYOD), or even choose and purchase corporate-owned devices (CYOD). Connecting your devices to work makes it easy for you to access your organization’s resources (such as apps, the corporate network, and email).

There are many ways to Enrol Windows 10 devices into Microsoft Intune for device management. Some are User-driven and some controlled by IT administrators, Some exist to support BYOD programs and others to streamline modern provisioning scenarios and management for corporate-owned devices.

The Windows Autopilot simplifies enrolling devices. Building and maintaining customized operating system images is a time-consuming process. You might also spend time applying these custom operating system images to new devices to prepare them for use before giving them to your end users. With Microsoft Intune and Autopilot, you can give new devices to your end users without the need to build, maintain, and apply custom operating system images to the devices. When you use Intune to manage Autopilot devices, you can manage policies, profiles, apps, and more after they're enrolled. 

This enrolment scenario is primarily for userless devices such as kiosks. 

The setup experience is the most streamlined out of any of the others, allowing all OOBE screens to be skipped after the device is first powered on.

The Azure AD Join and Intune enrolment is fully automated without any user interaction.

It's currently in preview and can be configured by choosing these options in your autopilot profile in the Intune console:

Read more here: LINK

Personally owned devices, also known as bring your own device or BYOD, can be connected to a work or school account or to MDM. Windows 10 does not require a personal Microsoft account on devices to connect to work or school.

You can connect to a work or school account either through the Settings app or through any of the numerous Universal Windows Platform (UWP) apps such as the universal Office apps.

All Windows 10-based devices can be connected to a work or school account.

This enrolment method is typically used for BYOD scenarios.

Once configured, a logon to a Modern Windows 10 App (e.g. OneNote or Store), or Office ProPlus using a work account will trigger enrolment.

This method of enrolment is for enrolling directly into Intune.

This form of enrolment is often used for BYOD, particularly in environments that do not have Azure AD Premium licenses required to perform the automated enrolment provided with other methods.

This method of setup and enrolment is a user driven enrolment via the Out of Box Experience. 

By choosing "Setup for an organisation" and using work account to sign in, the device becomes Azure AD Joined and automatically enrolled into Intune.

This method of enrolment is a variation of the above. 

 It is initiated from the settings menu after a windows profile has already been setup. For cases where a user has already setup a Windows user profile, they can go to "Add a work or School Account" , then select "Join this device to Azure Active Directory".

Once rebooted, the user can logon with their Azure AD credentials and the device will become enrolled into Intune.

This method of setup and Intune enrolment is user driven.

However the OOBE experience is customised to the organisation. Many of the OOBE screens can be skipped to ensure a smoother setup experience for end users.

This method of setup is very simlilar to Scenario #3 except it is performed by IT admins using a special type of account - A Device Enrollment Manager (DEM) Account. 

The IT administrator who is performing the enrollment needs to have access to local administrator credentials to complete the enrollment from the settings menu.

This account can be used to enrol up to 1000 devices into Intune. 

Intune enrolment for Domain joined Windows 10 devices can be automated using a GPO "Enable Automatic MDM enrolment using default Azure AD Credentials"

Note: This is different to Azure AD Device Registration GPO. That GPO will only control the registration of the device and make it "Hybrid Azure AD Joined", it will not enrol the device into Intune.

Before Enabling GPO

Device Registration Cert (Local computer store)

After Enabling GPO

Intune Certificate (SC_Online_Issuing) is present in local computer certificate store.

Co-management is the best way to enrol existing device fleet that is already being managed by Configuration Manager.

Once enabled, the device will be able to be managed by SCCM and Intune, leveraging the best features of both.

CoManagmementHandler.log can show successful enrolment via this method.

Bulk enrolment is the name given to devices Azure AD Joined using a Bulk enrolment token.

A bulk enrolment token can be created by IT admins using "set up school PCs" or Windows configuration Designer apps from the store. 

 In this scenario, the IT admin prepares Windows devices with a USB key (Azure AD Join and Intune enrolment) ready for first user logon.

I stumbled upon this article by accident while researching on Windows AutoPilot. This is originaly written by Scott Duffey, you can go through the entire set of Intune+AAD+Windows10 articles by Scott here - LINK

I am really excited to show you the 10 ways to Enrol Windows 10 Devices! Please have a look at other articles as well.

?

If you are interested to create FREE Azure Account, check out this article - LINK

Check out how to get Free Azure Trainings here - LINK

Cheers,

Susanth