unsplash-image-eB3T0ibP72g.jpg

 

 

When we are working with our customers to enable management of Windows 10 devices out of the cloud, there are three main options we use for end-users to enrol their devices into Microsoft Intune.  

  • Azure Active Directory (Azure AD) Registered 

  • Azure Active Directory (Azure AD) Joined 

  • Azure Active Directory (Azure AD) Joined via Windows Autopilot 

This article runs through these options, the pros & cons, and our recommendations for each.  

As a note, these methods are reliant on Automatic Enrollment being enabled in your Intune tenant, information on how to set that up can be found here

 

Azure Active Directory (Azure AD) Registered

Azure AD Registered devices are registered to Azure AD without requiring a corporate account to sign into the device. This enrolment option provides support for BYOD devices. Basically, Azure AD knows about the device but does not require a corporate identity to authenticate into device – this is considered the BYOD option. 

Pros 

  • Available on Windows 10 Home and above. 

  • Perfect for BYOD devices. 

Cons 

  • Requires a local or Microsoft account on the device, cannot sign-in to Windows with their Azure AD account – which can lead to confusion.  

  • Local/Microsoft account may require password change once enrolled if it does not meet security requirements. 

  • Azure AD administrators cannot sign-in to the device.  

To enroll 

  • Settings -> Accounts -> Access School or Work -> Connect -> enter email address.

 

Azure Active Directory (Azure AD) Joined

Azure AD Joined is for cloud-first companies that want devices to join to Azure AD. A corporate account is required to sign into the device. This option is suitable for both cloud-only and hybrid organisations, enabling access to both cloud and on-premise apps and resources. 

Pros 

  • Creates Azure AD account that will be used for corporate access. 

  • Only one account and password to remember on the device. 

  • Azure AD administrators can sign into the device. 

Cons 

  • Requires a Windows 10 Pro device license. 

  • Additional configuration required to remove local administrator. 

To Enroll 

  • Settings -> Accounts -> Access School or Work -> Connect -> Join this device to Azure Active Directory. 

    P2.png

 

Or, during Out of Box Experience (OOBE) enter the Azure AD email address at the Microsoft account sign-in stage.

P3.png


Azure Active Directory (Azure AD) Joined via Autopilot

Windows Autopilot enrolment is our recommendation wherever possible. This is most easily achieved when devices are purchased from a reseller who can either provide the hardware hash of the device at time of purchase or upload this data directly to your Azure portal. Manually discovering and loading the hardware hash is possible – the manual steps to get a device hardware hash is detailed in this article. 

Pros 

  • Creates Azure AD account that will be used for corporate access. 

  • Only one account and password to remember on the device. 

  • Azure AD administrators can sign into the device. 

  • Walks user through initial device setup every time the device is setup from factory reset state (no devices that accidentally don’t get enrolled). 

  • Can be used to setup end-users under a local user account rather than as local administrator. 

Cons 

How to enroll 

  • After being added to Intune Autopilot, every time the device is setup from a factory reset state it will guide the user through enrolling the device. 

  • Setup can be completed from any internet connection – it does not have to be on a domain. 

    P4.png

Conclusion

Whether you are purchasing new devices, enabling BYOD or cloud enabling existing Windows 10 devices, the various enrolment options detailed in this article will allow you to start getting devices into Intune and managed remotely via the cloud.   

Where possible, we recommend using Windows Autopilot and enabling zero-touch provisioning to automate and streamline the set-up experience: pushing apps, content, and configuration during the enrolment process.  

If you’re interested in Windows Autopilot for your company, contact us. Or check out our Zero Touch Provisioning service. 

 
Learn more about Zero Touch Provisioning

CONNOR BEVAN

Connor is a Modern Work & Security Engineer at based in Wellington, New Zealand. Working at Mobile Mentor for over three years he has a strong focus in Enterprise Mobility Management products as well as Microsoft 365 Enterprise Administration and Security Services.