Enrollment Concepts

When setting up new Intune environments, choosing the right enrollment strategy is key. What enrollment options are there, and what steps are necessary for their implementation? In the coming posts, I will answer those questions and provide a detailed insight into the world of Intune enrollment strategies.


The basic structure of Intune Device Enrollment

diagram intune enrollment

Architectures

Entra ID Join

Enrollment methods in Intune

User-Driven

Method, which after the configuration and installation of the system-related configurations and apps, as well as the subsequent sealing, requires a user login to install all configurations, apps, etc., assigned to the user

Self-Deploying

With this method, a user is first assigned in the Intune Admin Center. After that, the device goes through all the setup steps (configurations, apps, etc.) both in the computer and user context.

Hybrid Join

Enrollment methods in Intune

User-Driven:
After the configuration and installation of the system-related configurations and apps, as well as the subsequent sealing, a user login is required.

Windows Autopilot

What’s Windows Autopilot?

New Devices

Option 1: Automatic registration by the manufacturer in Intune

When ordering the required devices directly from the manufacturer or through a reseller, one can request them to register the devices in one’s own context of Windows Autopilot. For this, the Tenant ID must always be provided. After this has been done, the manufacturer of the devices can independently register the devices after being granted the appropriate permissions.

Option 2: Automatic registration through script

If the devices have not been previously registered in Windows Autopilot via OEM, it can easily be done by oneself. For this, the script “get-windowsautopilotinfo” provided by Microsoft is used. However, to avoid it asking for a username and password, an Enterprise App Registration in Entra ID must be created.

App Registration Setup

Scripts

After that, both scripts need to be copied to a USB stick. During the Windows setup of the respective device, open a CMD window with Shift + F10, navigate to the USB stick (usually drive F:), and enter the following command: autopilot.cmd
Afterward, the script will automatically execute all the steps for registration with Windows Autopilot, and the devices will be visible here.

Option 3: Manual Registration (online or via CSV)

During the setup of a device, press Shift + F10 to open a CMD window. Then enter the following commands to perform the manual online registration with Windows Autopilot:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
PowerShell.exe -ExecutionPolicy Bypass
Install-Script -name Get-WindowsAutopilotInfo -Force
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Get-WindowsAutopilotInfo -Online


Alternatively, the hardware hash can also be written to a CSV file:

[Net.ServicePointManager]::SecurityProtocol = [Net.SecurityProtocolType]::Tls12
New-Item -Type Directory -Path "C:\HWID"
Set-Location -Path "C:\HWID"
$env:Path += ";C:\Program Files\WindowsPowerShell\Scripts"
Set-ExecutionPolicy -Scope Process -ExecutionPolicy RemoteSigned
Install-Script -Name Get-WindowsAutopilotInfo
Get-WindowsAutopilotInfo -OutputFile AutopilotHWID.csv

With this approach, the CSV file must then be manually uploaded in the Intune Admin Center.

Existing devices

Option 1: Automatic Registration via GPO (Hybrid)

For this, a Group Policy must be created on the domain controller.
Path: Computer Configuration > Administrative Templates > Windows Components > MDM > Enable automatic MDM enrollment using default Microsoft Entra credentials.

Optional steps after registration

Option 2: Reinstalling the client

Especially with older devices, it is recommended to reinstall them when switching to Intune. This way, you’ll get a standardized installation without any previous errors or legacy problems. After reinstallation, the devices can be added to Windows Autopilot via script.

Option 3: Co-Managed

If Microsoft Endpoint Configuration Manager is already in use, workloads can be gradually shifted to Intune. This allows for a smooth transition from MECM to Intune. More on this here or in a future post.

Why no Hybrid-Join?

Cloud Kerberos trust (Cloud Trust)

This configuration allows for a trust relationship between the local domain and Entra ID / Azure. As a result, devices that are only connected to Entra ID can also access local resources such as network drives and printers.

ADMX-Import

All ADMX files can be easily imported into Intune. Subsequently, all settings, similar to an existing GPO, can also be created as an Intune configuration profile.

GPO-Analyzer

The GPO Analyzer included in Intune allows for the analysis of existing GPOs and their native representation in Intune, provided the corresponding settings are available.

More advantages of Entra ID (only) Join

  • Faster Setup
  • More flexible
  • No local components
  • Best Practice

Procedure

Inventory of the existing environment

Analysis of the existing environment. The following questions could be asked:

  • How have devices been set up so far?
  • What software was used?
  • What were the key features of the software?
  • How much time was required per device?
  • What user interactions were necessary?
  • What applications are installed?
  • Are these specially configured?

Moreover, it is important to examine how and, most importantly, with which settings the clients were provisioned. Which GPOs are in use and why? Are some even duplicated? Can these be represented in Intune? If only partially, how could the other parts be implemented? Possibly with scripts? Or in another way?

The answers to all these questions should be summarized in a document and discussed with the respective contacts.

Decision on the rollout architecture

Based on the inventory, it can now be decided whether a device will be hybrid joined or only Entra ID joined.

In most cases, an Entra ID Only Join can be realized without any problems. Virtually all scenarios are feasible this way (in conjunction with Cloudtrust). If a customer, for example, cannot commit to a cloud-only setup due to regulations, a hybrid setup must be chosen.

Decision on the rollout method: Existing devices

If the devices are in a Windows domain, the initial “Intune Join” can be done via GPO. Afterward, it is recommended to add the devices to Windows Autopilot via script.
However, the crucial question arises: Do you want to proceed with the hybrid setup or offer the devices as Entra ID Joined? In the latter case, the devices now in Windows Autopilot could be reset via Autopilot Reset and joined as Entra ID only. If you opt for a hybrid setup, this step is not necessary.

Decision on the rollout method: New devices

Depending on the architecture, you now have more or less of the above-described rollout methods to choose from. The following questions can help with the decision:

  • How is the workload distribution between internal IT and the user managed?
    • Can the users take over part of the setup? For example, self-enroll for apps in the user context, or should the entire setup be covered by pre-provisioning from internal IT?
    • If the setup is taken over by the IT department, should this be done via several authorized users or through a so-called DEM (Device Enrollment Manager) user?
  • Is there a BYOD (Bring Your Own Device) approach or not?

Depending on how the above questions were answered, the following approaches can be chosen among others:

  • The user orders the device to their home, logs in during setup, and the device is configured.
  • IT orders the device, installs apps (computer context), seals the device, and sends it to the user. The user logs in, and the device installs the apps in the user context.
  • IT orders the device and has it completely set up using a DEM (Device Enrollment Manager) user, then sends it to the user.

Next steps

After all parameters have been defined and documented, it’s time to move on to implementation. All further steps, such as setting up the deployment profiles, and much more, is described in detail in the next post of the series “Get started with Intune 2024.”