Wednesday, 30 July 2025

The Four Primary Enrollment Methods in Intune Windows Enrollment

         

 

 Windows Enrollment Strategy in Microsoft Intune:



Introduction

Enrolling Windows devices into Microsoft Intune is a critical first step in modern endpoint management. It allows you to configure policies, deploy applications, and secure corporate data. However, not all enrollment methods are created equal. The right choice depends on your organization's specific needs, device ownership models, and existing infrastructure.

the four primary enrollment methods to help you make an informed decision. The methods are:

·         Windows Automatic Enrollment: The foundational method for corporate devices.

·         Windows Autopilot: The modern, "zero-touch" standard for provisioning new devices.

·         BYOD: User Enrollment: For personal devices that need access to corporate resources.

·         Co-management with Configuration Manager: For organizations transitioning from traditional to modern management.

 

1)Windows Autopilot

Windows Autopilot is designed specifically for this "zero-touch" deployment scenario. It automates the setup and pre-configuration of new devices, getting them ready for productive use without IT intervention.

Why Autopilot is the right fit:

  • OEM Integration: It leverages device hardware IDs (hashes) that you can get from your OEM, allowing you to "claim" the device in Intune before it's even unboxed.
  • Excellent for Remote Workers: Devices can be shipped directly to users. The user unboxes the device, connects to the internet, enters their work credentials, and Autopilot handles the rest.
  • Custom OOBE: You control the user experience, including skipping unnecessary setup screens, enforcing terms, and displaying an Enrollment Status Page (ESP) to show progress.
  • Device Context: It's ideal for both Entra joined (cloud-native) and Hybrid Entra joined devices, giving you flexibility.

High-Level Steps:

  1. Licensing: Ensure you have Microsoft Entra Premium P1 or higher.
  2. Get Hardware Hashes: Obtain the 4K hardware hash for each device from your OEM or by manually running a PowerShell script.
  3. Register Devices: Upload the hardware hashes to the Intune portal under Devices > Enrollment > Windows Autopilot Devices.
  4. Create a Deployment Profile: Define the OOBE settings (e.g., user-driven vs. self-deploying, join type, language).
  5. Assign Profile: Assign the deployment profile to a device group.

Lab Practice:

Windows Autopilot:

1.      Get hardware hashes from OEM or script.
2. Upload hashes to Intune portal.
3. Create & assign a Deployment Profile.
4. (Optional) Assign an Enrollment Status Page (ESP).
5. User unboxes, connects to internet, and signs in.

 

In detail Lab practice steps: https://prasadchenikkala.blogspot.com/2025/07/ms-intune-windows-autopilot-deployment.html

 

 

2.Enrolling Existing Corporate Devices or BYOD

Use case: You have existing corporate-owned devices that are not yet managed, or you have a "Bring Your Own Device" (BYOD) policy where employees use their personal Windows PCs for work.

Choice A (Corporate-owned): Windows Automatic Enrollment

This is the most straightforward method for enrolling corporate devices already in use. It's triggered when a user joins their device to Microsoft Entra ID or registers it with their work account.

Why Automatic Enrollment is a good fit:

  • Bulk Enrollment: It's a scalable way to enroll a large number of existing devices.
  • User-Driven: The process is simple for the user. They sign in with their organizational account, and the device automatically enrolls in Intune based on pre-configured settings.
  • Foundation: It's the underlying mechanism for many other enrollment scenarios, including Autopilot.

High-Level Steps:

  1. Licensing: Ensure you have Microsoft Entra Premium P1 or higher.
  2. Configure MDM Scope: In the Intune portal, go to Devices > Enrollment > Automatic Enrollment. Set the MDM user scope to 'All' or a specific group of users.
  3. User Action: The user goes to Settings > Accounts > Access work or school > Connect and signs in with their organizational credentials, choosing to "Join this device to Microsoft Entra ID."

Lab practice “Windows Automatic Enrollment”:

1. In Intune, go to Devices > Enrollment > Automatic Enrollment

2. Set MDM user scope to a user group.
3. User goes to Settings > Accounts > Access work or school.

4. User clicks Connect and "Joins this device to Microsoft Entra ID."

3)Method B (Personal / BYOD): BYOD User Enrollment

When the device is personally owned by the user, you must respect their privacy and avoid taking full control. BYOD enrollment (also known as "work or school account registration") provides a lighter touch, securing corporate data without managing the entire device.

Why BYOD User Enrollment is the right fit:

  • Privacy: It separates work data from personal data. Management policies (like app protection) only apply to the work profile and associated apps.
  • User Consent: Users explicitly understand their personal device might be managed by their organization for work purposes.
  • Lightweight: It doesn't require the device to be fully Entra joined. It's a registration process.

High-Level Steps:

  1. No Entra Premium Required: This is a key advantage if licensing is a concern.
  2. Configure MDM Scope: Similar to automatic enrollment, ensure the MDM user scope is set.
  3. User Action: The user goes to Settings > Accounts > Access work or school > Connect and enters their work email address. The device is registered, not joined.

Lab practice: BYOD: User Enrollment

1.      User goes to Settings > Accounts > Access work or school.

2. User clicks Connect and enters their work email.

        3. Follow prompts to register the device (does not join Entra ID).

 

4)Managing Devices with Microsoft Configuration Manager (SCCM)

Use case: Your organization has a mature investment in Configuration Manager (formerly SCCM) for device management, but you want to leverage Intune's cloud capabilities like Conditional Access, remote wipe, or Autopilot.

 Best Method: Co-management with Configuration Manager

Co-management is the bridge between traditional and modern management. It allows you to manage Windows devices with both ConfigMgr and Intune simultaneously. You can gradually shift management "workloads" (like compliance policies or app deployment) from ConfigMgr to Intune at your own pace.

 

 

Why Co-management is the right fit:

  • Phased Transition: You don't have to go "all-in" on the cloud at once. Start with one workload (e.g., Compliance Policies) and move others over time.
  • Leverage Existing Investment: Continue using your powerful ConfigMgr infrastructure for tasks like OS deployment and detailed software patching while using Intune for modern, cloud-based policies.
  • Path to Autopilot: You can use co-management to provision existing ConfigMgr clients, and then use Autopilot for all new devices moving forward.
  • Hybrid Join Support: It is designed to work seamlessly with Hybrid Entra joined devices that are domain-joined and registered in Entra ID.

High-Level Steps:

  1. Prerequisites: Ensure you have the required versions of ConfigMgr and Windows, proper licensing (Entra ID P1 + Intune), and devices are Hybrid Entra joined.
  2. Enable Cloud Attach: In the ConfigMgr console, configure Cloud Attach to connect your site to your Intune tenant.
  3. Configure Co-management: In the Co-management settings, enable automatic enrollment in Intune for your clients.
  4. Shift Workloads: Use the sliders on the "Workloads" tab to decide whether ConfigMgr or Intune is the management authority for specific tasks.

Lab Practice: Co-management:

1. In ConfigMgr, set up Cloud Attach to link to Intune.
2. In the Co-management properties, enable enrollment for a device collection.
3. Go to the Workloads tab and use sliders to move specific tasks (e.g., Compliance) to Intune.

 

Method

Best For...

Primary Use Case

Key Prerequisite

Windows Autopilot

New corporate devices for a zero-touch, modern provisioning experience.

OEM/Reseller purchases, remote worker deployments, kiosk/shared devices.

Microsoft Entra Premium P1

Windows Automatic Enrollment

Enrolling existing corporate devices at scale.

Bulk enrollment of current devices, baseline for corporate enrollment.

Microsoft Entra Premium P1

BYOD: User Enrollment

Securing corporate data on employees' personal Windows devices.

"Bring Your Own Device" (BYOD) scenarios where privacy is key.

None (Entra Premium not required)

Co-management

Organizations using Configuration Manager (SCCM) and wanting to adopt cloud features.

Phased migration from traditional to modern management.

ConfigMgr, Entra Premium P1

 

Steps to configure above four methos using PowerShell

You can use PowerShell to configure and manage all four enrollment methods, primarily using the Microsoft Graph PowerShell SDK for Intune/Entra tasks and the ConfigurationManager module for SCCM.

Prerequisites: Install Necessary Modules

First, you'll need to install the required PowerShell modules. Run PowerShell as an administrator to execute these commands.

 

After installing, you'll need to connect to the services.

1. Windows Autopilot

PowerShell is essential for Autopilot, especially for capturing device information and automating profile management.

Step 1: Capture the Hardware Hash from a Device On a running Windows device, this script captures the unique hardware hash required for Autopilot registration.

Step 2: Import the Device and Assign a Profile via Graph PowerShell This script imports the captured device hash into the Autopilot service and assigns it to a group.

2. & 3. Windows Automatic & BYOD Enrollment:

The PowerShell configuration for both Automatic Enrollment (for corporate devices) and BYOD User Enrollment is identical because it involves setting the MDM (Mobile Device Management) user scope policy in Microsoft Entra ID. The difference is in the action the user takes on the device.

This script checks and sets the MDM user scope to "All" users.

 

4. Co-management with Configuration Manager

Co-management is configured within Configuration Manager, which has its own PowerShell module. This is performed on the SCCM site server.

This script enables co-management, points it to a pilot collection, and moves the Compliance Policies workload to Intune.

 

 

 

 

General Interview Question on Windows Device Management:

 

Question 1: Can you briefly explain the primary purpose of the four main Windows enrollment methods?

There are four methods to enroll windows devices 1) Autopilot 2) Automatic Enrollment 3) BYOD User Enrollment 4) Co-management (hybrid method)

 Autopilot: For new devices, zero-touch deployment, customizing the Out-of-Box Experience (OOBE).

Automatic Enrollment: For existing corporate devices, triggered by a user joining Microsoft Entra ID.

 BYOD: For personal devices, focusing on app/data protection rather than full device management.

 Co-management: For organizations with Configuration Manager (SCCM), bridging traditional and modern management.

 

Question 2: What is the key difference between a device that is Microsoft Entra joined and one that is Microsoft Entra registered? Which enrollment method corresponds to each state?

Joined: The device is owned by the organization and the primary identity on the device is an organizational account. Corresponds to Autopilot and Automatic Enrollment.

Registered: The device is personal (BYOD), and the user is simply adding their work/school account for access to resources. The device's primary identity remains personal. Corresponds to BYOD User Enrollment.

Question 3: "What is a 'hardware hash' and why is it critical for the Windows Autopilot process?"

  • the hardware hash (4K HH) is a unique identifier for a device's hardware components. It's critical because it allows an organization to "claim" a device in their Intune tenant before it's ever powered on, associating it with their Autopilot deployment profile.

 

Question 4: "A client is a cloud-first startup with 150 employees, all working remotely. They just purchased a fleet of new laptops to be shipped directly to their employees' homes. They have Microsoft 365 E5 licenses. Which enrollment method would you recommend, and why? Walk me through the high-level steps you'd take to set it up."

    • Recommendation: Unquestionably Windows Autopilot.
    • Reasoning: Mention "zero-touch," "remote workers," "shipping direct from OEM," and "custom OOBE."
    • Steps: They should mention obtaining hardware hashes from the OEM, uploading them to Intune, creating and assigning a deployment profile, and assigning an Enrollment Status Page (ESP).

Question 5: "An established company has 2,000 existing, domain-joined desktops that are managed solely by Group Policy. They now want to manage them with Intune to enforce compliance policies for Conditional Access. They do not use SCCM. What is their most efficient path to getting these devices enrolled in Intune?"

    • Recommendation: The path is Hybrid Entra Join followed by Windows Automatic Enrollment.
    • Process: They should describe setting up Entra ID Connect to sync device objects, configuring the GPO or client setting to trigger device registration, and then setting the MDM User Scope in Intune to auto-enroll devices once they become Hybrid Joined.

Question 6: "A large enterprise has a mature Configuration Manager (SCCM) environment they use for OS imaging, software updates, and complex application packaging. They are not ready to abandon it, but they want to use Intune for modern capabilities like remote wipe and BitLocker key escrow. What do you propose?"

    • Recommendation: The perfect use case for Co-management.
    • Explanation: that co-management allows both SCCM and Intune to manage the device simultaneously. They should mention the concept of "workloads" and suggest moving just the "Device Compliance" and "Endpoint Protection" workloads to Intune initially, while leaving Application and Update management with SCCM.

Category 3: Troubleshooting & Advanced Questions


Question 7: "A user reports their Autopilot enrollment is failing and stuck on the Enrollment Status Page (ESP). It's hanging on the 'Device setup' phase, specifically on an application install. What are your first three troubleshooting steps?"

  • A logical, systematic approach.
    1. Check the ESP Profile: Verify which apps are configured as "blocking" apps in the ESP settings. Is the failing app one of them?
    2. Check App Assignment: Confirm the failing application is correctly assigned to the user or device group and that its detection rules are correct.
    3. Collect Logs: Instruct the user to press Shift + F10 to open a command prompt (if enabled in the profile) to access diagnostic tools or, more practically, guide them through collecting the MDM Diagnostic logs to be analyzed in the Intune portal or Event Viewer.

Question 8: "You've been asked to design a strategy for devices that must be treated as kiosks. They will be used in a public lobby for guest sign-in. Which Autopilot mode would you use, and what are its key characteristics?"

    • Recommendation: Autopilot Self-Deploying Mode.
    • Characteristics: They must mention that this mode is user-less (no user credentials required for deployment), requires a physical network connection (Ethernet) or pre-provisioned Wi-Fi, and requires a device with a TPM 2.0 chip. It joins the device to Entra ID and enrolls it in Intune, after which a kiosk profile can be applied.

Question 9: "A company is migrating from a competing MDM solution to Intune. An admin attempts to enroll a device in Intune that is still managed by the old MDM, and it fails. Why did it fail, and what is the correct migration procedure?"

    • Reason for Failure: A Windows device can only have one MDM authority at a time. The device is still "owned" by the old MDM, so Intune's enrollment request is rejected.
    • Correct Procedure: The candidate must state that the device needs to be fully unenrolled (retired/wiped) from the previous MDM provider first. Once it is no longer managed, it can then be enrolled into Intune using the appropriate method (e.g., Automatic Enrollment or Autopilot Reset).