What you need to know before enrolling a Windows 10 device in Intune

If you are planning to enroll Windows 10 devices in Microsoft Endpoint Manager, there are a couple of concepts you need to know in advanced. On this post we will go over some definitions.

Managed Devices

A managed devices are devices that are under some sort of organizational control.

  • A prerequisite to manage a device is that the device has to have a registration with Azure AD.
  • This registration creates an identity for the device and it is presented as an object.
  • This object is used by Azure to track status information about a device.

To get a device registered in Azure AD, you have three options:

Azure AD registered

Typically personally owned or mobile devices.

Azure AD registered devices are signed in to using a local account like a Microsoft account on a Windows 10 device, but additionally have an Azure AD account attached for access to organizational resources.

This registration can be accomplished when accessing a work application for the first time or manually using the Windows 10 Settings menu.

Scenario: The user adds their organization account and registers their home PC with Azure AD and the required Intune policies are enforced giving the user access to their resources.

Azure AD joined

Azure AD join is intended for organizations that want to be cloud-first or cloud-only. Devices are owned by an organization and are signed in with an Azure AD account.

They exist only in the cloud.

Azure AD join can be accomplished using self-service options like the Out of Box Experience (OOBE), bulk enrollment, or Windows Autopilot.

Scenario: You want to provide joining capabilities to workers in remote branch offices with limited on-premises infrastructure.

Hybrid Azure AD joined

Devices that are owned by an organization and are signed in with an Active Directory account.

They exist in the cloud and on-premises.

Typically, organizations with an on-premises footprint rely on imaging methods to provision devices, and they often use Configuration Manager or group policy (GP) to manage them.

Scenario: You want to continue to use Group Policy to manage device configuration.

So, first I invite you to think what is the direction you want to take for your environment and your end users, ask yourself, Are the end users going to work on their own PCs but they need access to company resources? Are we going to move away from on-premises any time soon? Are we still going to support on premises apps? Can we have more cloud capabilities?

On the references section you can find the links to Microsoft docs to have more information about each types of registration, on the next post, we will go over the Windows enrollment methods currently available from User-self to Admin-based, so stayed tuned ♥

Lastly, I created a presentation to explain this, download it in case you want to take a look! (:


What is a device identity?
Require managed devices for cloud app access with Conditional Access
Azure AD registered devices
Azure AD joined devices
Hybrid Azure AD joined devices

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s